red pill blue pill

Choose effective security over incident response

You take the blue pill, the story ends. You wake up in your bed and believe whatever you want to believe. You take the red pill, you stay in wonderland, and I show you how deep the rabbit hole goes.
~Morpheus

This quote from The Matrix sort of sums up the choice companies face when it comes to security. If you take the blue pill–opting to save a few dollars rather than investing in effective security–you just go on believing your network and data are secure despite reality to the contrary. If you take the red pill–implementing effective security to protect your network and data–you stop functioning under an illusion of false security and you learn how deep the rabbit hole goes.

The irony is that when it comes to cost it’s significantly less expensive to take the red pill and implement effective security in the first place. When you take the blue pill to “save” money up front you end up spending a lot more on incident response and recovery when your security fails you.

Security has come a long way over the past decade. It is still the red-headed step child of the business units but at least most organizations have some sort of CSO or CISO role in place and do a good job feigning support for security. Businesses that focus on squeaking by spending as little as possible on security, though, are bound to find out the hard way just how expensive a lack of security can be.

Organizations take security more seriously these days—thanks in large part to compliance mandates like SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard) and others. However, where the rubber meets the proverbial road security is still seen as a necessary expense to be minimized so that budget can be devoted to “more important” business functions that actually bring in revenue.

Compliance frameworks do an adequate job of elevating awareness of security concerns and even enforcing some sort of minimum baseline standard. The reality, though, is that being compliant and being secure are two different things. When the goal is to check the right boxes and pass a compliance audit rather than actually implementing effective security the organization still leaves itself exposed to significant risk.

What for? To try and save a few dollars? To spend as little as possible on security? Ask any company that has experienced a data breach or major malware attack and you will find fairly unanimous agreement that the cost of cleaning up after a security incident is significantly more expensive than the cost of implementing effective security measures proactively. After the security incident is mitigated these organizations generally end up investing in the security measures they should have in the first place.

One way to look at it is the way I view home improvement projects—for example replacing a water heater. The cost to hire someone may seem high, so I can try and do the project myself. Ultimately, though, I’m likely to screw it up resulting in significant water damage my house. In the end, I will still have to pay someone to come and do the job right, but now I also have the additional costs of my own time and effort messing it up and the extra cost to clean up my mess.

Read the complete post on the RSA Conference blog: Think Security Is Expensive? Insecurity Costs Much More.

1 thought on “Choose effective security over incident response”

  1. I have the impression that this goes around in circles. Initially it was about doing security properly, then we were told it’s impossible so we should focus on incident response instead. Now back to square one I presume.

Comments are closed.

Scroll to Top