Investing in Cyber Security – How Much Is Enough?

Ian Harragan

Director at i-confidential

Whilst information security has been around for 50 years, it has grown most significantly in this century with the advance of the internet. In the last 10 years we have seen a consistent rise in hacking, denial of service attacks, and major data breaches.

Organisations have had to respond by investing heavily in people, processes, and technology. It is a challenge, however, to provide protection against these evolving threats, which use increasingly sophisticated techniques that can cause a wide variety of impacts.

A consequence of these developments is that costs may not get the right level of holistic focus. It is right to periodically revisit the economics of security by asking some key questions:

· Do we have effective and efficient processes?

· Do we hire people with the right skills, and in sufficient numbers?

· Do we use technologies that perform as required?

· Do we provide the right oversight for our third parties?

· Do we properly mitigate our security risks?

· Do we manage security productively?

The overarching, board-level question probably runs along the lines of, ‘How much is enough?’ Of course, it is easy to point at the cost if you get it wrong, be that financial, reputational, or regulatory.

But getting it wrong can also mean over-investing in some controls at the expense of others, and not necessarily focusing on your most important assets first.

It could be you have multiple technologies that largely meet the same requirement, or key processes running without the right operational rigor. Duplication and inefficiency may have found their way, often insidiously, into many areas of your estate.

At i-confidential, we do not pretend to have all the answers, but we can use our wealth of skills and experience to provide some valuable insights into the challenges you might be facing.

How much is enough? Please feel free to get in touch so we can help you find out.