Connect with us

Hi, what are you looking for?


Management & Strategy

Don’t Shop Hungry for Security

Don’t Rush to Satisfy That Hunger Until You Can be Sure of What You Need…

Don’t Rush to Satisfy That Hunger Until You Can be Sure of What You Need…

Pressure to make new investments in security can hit without warning these days. You can find yourself with a mandate to get more security because of a breach, a change in corporate priorities, or some painful event at a competitor or partner. If you find yourself in this situation, don’t let the pressure push you into irrational behavior. As the saying goes, don’t shop when you’re hungry. If you do, you’re likely to end up with things you don’t need. Instead, take your time, build your list, and know what you’re getting and why.

Here are three impulse buying mistakes to avoid that can actually undermine your security while simultaneously depleting your resources.

Buying Impulse #1: “I’ll buy this because something is better than nothing.”

When you have a real security problem that you can improve with attention and investment, taking the shortcut of doing something easy that is “better than nothing” puts you into a more dangerous position than you were before. Burning through an investment like that means you’re wasting valuable political capital, and when it comes time to invest in a solution that actually does solve the problem it will be even more difficult to justify the expense.

If you feel pretty good about your security before you are asked to invest more, then you have time to do the right thing. Make sure any investment you make will have the kind of impact that you think is most important to your goals.

Buying Impulse #2: “I’ll pile more protection on my high-value assets.”

Advertisement. Scroll to continue reading.

When risk assessments are performed, the most important element is the characterization of your assets, their value, and the threats they are under. The same critical resources, like servers, databases, and websites are continually found to be of highest importance, so they are always prioritized for investment. In most organizations, this results in an uninterrupted flow of time and money to these assets, even though they are likely to be the best protected already.

Before you stumble down this well-worn path, take a moment to create an additional weighting factor such as the amount of protection already being applied. You will find that other assets, like departmental applications or the often-ignored user systems, present the most danger, in part due to this lack of attention. These kinds of assets get deprioritized, but remember, corrupted systems and uninformed users have the connections and credentials that weaken your other security investments.

Buying Impulse #3: “More information is always better, so I’ll collect some more.”

People believe that breaches are inevitable. As a result, there is a current emphasis on information gathering and analysis. Security Incident and Event Management (SIEM) platforms, cloud-based analytics, anomaly detectors, the list goes on. They all are focused on faster breach detection, new threat identification, and incident response. As very public breaches have shown, choosing to invest in more data will do very little to improve your security unless you can actually use it.

Make sure any new information gathering you do fits within processes you already use, and confirm you will be able to make sense of the type and volume of information that you are thinking of gathering. Passively gathering information may seem pretty innocuous, but more is not better when the “more” can drown you or expose you to liability when you miss alerts in the stream.

Shop Smart

Avoid these mistakes and the security bloat that they will create by filling up on your own requirements before you step out into the market. Spend a little time to create a list of options to choose from, and factor in the real appetite that your management will have for the actual implementation of the solutions you choose to consume.

Security sorely needs more investment in time and money. Don’t rush to satisfy that hunger until you can be sure of what you need.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.