Connect with us

Hi, what are you looking for?


Management & Strategy

It’s Time to Democratize Security

A Seat at the Security Table Should Not be for Only the Elite and Largest of Businesses or Security Vendors

A Seat at the Security Table Should Not be for Only the Elite and Largest of Businesses or Security Vendors

Have you ever been curious how energy efficient your home is?  I was curious recently, so I made a few phone calls and arranged to have a home energy assessment done.  After the assessment, I received a report documenting the various areas in which I could improve the energy efficiency of my home.  Along with areas for improvement, the report also included metrics around how much energy was wasted in each different area.  This allowed me to analyze the data and prioritize which improvements would provide the biggest efficiency return on investment.

Do you ever wake up tired and wonder if you simply didn’t sleep well?  I do from time to time, so I arranged to have a sleep assessment done.  When the assessment was complete, I was given a report detailing the various issues with my sleep cycle, along with suggestions on how to address those issues.  The report also included metrics around which issues were causing more or less tiredness.  That information allowed me to target a specific subset of the issues as a first step towards improving the quality of my sleep.

I could go on and on with these anecdotes, though you are probably asking yourselves by now what this has to do with information security.  As you may have guessed, that is precisely what I would like to focus on in the remainder of this piece.

You see, in each of the anecdotes above, I was faced with a status quo that I wasn’t happy with – a situation I wanted to improve.  In each case, I had an assessment done and received a detailed report of the results, complete with metrics and benchmarks.  That report contained hard facts and ground truth – not intuition and conjecture.  In both situations, I used the report to make data-driven decisions about which specific areas to target for improvement.

So what does this have to do with security?  Unfortunately, not as much as I would like it to.  Or, at least not yet that is.  What am I getting at here?  In both cases above, I was able to assess my standing objectively, identify gaps and areas for improvement, and use metrics and benchmarks to prioritize what I would address.  In other words, a regular person like myself (who is not a tycoon, celebrity, or politician), was able to have an assessment done and benefit from its results at a reasonable cost.  Why?  Because the areas of home energy efficiency and sleep studies have been democratized.  Regular, non-elite people can benefit from them.

Let’s transition and take a look at the field of information security.  Say I have a security program that I know needs improvement, and I want to know where it would be best to focus my efforts.  Or, perhaps I am subject to a regulatory requirement to undergo assessment quarterly or annually.  Or, perhaps I am ready to get serious about security but need help understanding exactly where to begin.

Advertisement. Scroll to continue reading.

What do I do in each of these situations?  I need to have an assessment done, and I need to get my hands on some benchmark data and metrics.  So what’s the problem?  The problem is that in security, having an assessment done requires calling in a consulting company.  As you are likely aware, this is a labor-intensive process that results in a hefty price tag.  For large businesses that are sufficiently complex, consulting companies that specialize in assessments are the way to go.  Of course, not every organization is a large business.

Similarly, getting access to benchmark data and metrics is something that typically requires paying large sums of money to analyst firms or other types of organizations that guard this data tightly.  Unfortunately, these organizations are most often pay-for-play, which creates two fundamental issues:

1. The data is biased.  If I only include organizations that can afford to pay me, how can I possibly offer broad, holistic, unbiased data?

2. Non-elites are priced out.  If I charge thousands of dollars per report and tens or hundreds of thousands of dollars for membership, what chance do non-elite organizations have to participate?

Sounds dire for small and medium-sized businesses and start-up security vendors, doesn’t it?  The odds are certainly stacked against SMBs in the security realm, that is for sure.  How can SMBs that generally cannot afford the price tag of a consultant-driven assessment or high-priced benchmark data and metrics receive the same benefits?  How can SMBs gain access to hard facts and ground truth to drive decisions to improve their security postures and maximize their return on investment?  Unfortunately, there haven’t been a lot of great options here historically.

Until now that is.  The time has come to democratize security.  A seat at the security table should not be for only the elite and largest of businesses or security vendors.  Small and medium-sized businesses need a seat at the table as well.  Assessment should not be the exclusive domain of only those flush with cash.

As the famous quote, sometimes attributed to Sir Francis Bacon aptly states, “knowledge is power.”  In security, knowledge means making more informed, educated decisions.  And that can only be accomplished when the right information is accessible to all.  Pay-for-play isn’t going to get SMB security maturity where it needs to be.  The time for affordable assessment for all organizations has come.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.