A Seat at the Security Table Should Not be for Only the Elite and Largest of Businesses or Security Vendors
Have you ever been curious how energy efficient your home is? I was curious recently, so I made a few phone calls and arranged to have a home energy assessment done. After the assessment, I received a report documenting the various areas in which I could improve the energy efficiency of my home. Along with areas for improvement, the report also included metrics around how much energy was wasted in each different area. This allowed me to analyze the data and prioritize which improvements would provide the biggest efficiency return on investment.
Do you ever wake up tired and wonder if you simply didn’t sleep well? I do from time to time, so I arranged to have a sleep assessment done. When the assessment was complete, I was given a report detailing the various issues with my sleep cycle, along with suggestions on how to address those issues. The report also included metrics around which issues were causing more or less tiredness. That information allowed me to target a specific subset of the issues as a first step towards improving the quality of my sleep.
I could go on and on with these anecdotes, though you are probably asking yourselves by now what this has to do with information security. As you may have guessed, that is precisely what I would like to focus on in the remainder of this piece.
You see, in each of the anecdotes above, I was faced with a status quo that I wasn’t happy with – a situation I wanted to improve. In each case, I had an assessment done and received a detailed report of the results, complete with metrics and benchmarks. That report contained hard facts and ground truth – not intuition and conjecture. In both situations, I used the report to make data-driven decisions about which specific areas to target for improvement.
So what does this have to do with security? Unfortunately, not as much as I would like it to. Or, at least not yet that is. What am I getting at here? In both cases above, I was able to assess my standing objectively, identify gaps and areas for improvement, and use metrics and benchmarks to prioritize what I would address. In other words, a regular person like myself (who is not a tycoon, celebrity, or politician), was able to have an assessment done and benefit from its results at a reasonable cost. Why? Because the areas of home energy efficiency and sleep studies have been democratized. Regular, non-elite people can benefit from them.
Let’s transition and take a look at the field of information security. Say I have a security program that I know needs improvement, and I want to know where it would be best to focus my efforts. Or, perhaps I am subject to a regulatory requirement to undergo assessment quarterly or annually. Or, perhaps I am ready to get serious about security but need help understanding exactly where to begin.
What do I do in each of these situations? I need to have an assessment done, and I need to get my hands on some benchmark data and metrics. So what’s the problem? The problem is that in security, having an assessment done requires calling in a consulting company. As you are likely aware, this is a labor-intensive process that results in a hefty price tag. For large businesses that are sufficiently complex, consulting companies that specialize in assessments are the way to go. Of course, not every organization is a large business.
Similarly, getting access to benchmark data and metrics is something that typically requires paying large sums of money to analyst firms or other types of organizations that guard this data tightly. Unfortunately, these organizations are most often pay-for-play, which creates two fundamental issues:
1. The data is biased. If I only include organizations that can afford to pay me, how can I possibly offer broad, holistic, unbiased data?
2. Non-elites are priced out. If I charge thousands of dollars per report and tens or hundreds of thousands of dollars for membership, what chance do non-elite organizations have to participate?
Sounds dire for small and medium-sized businesses and start-up security vendors, doesn’t it? The odds are certainly stacked against SMBs in the security realm, that is for sure. How can SMBs that generally cannot afford the price tag of a consultant-driven assessment or high-priced benchmark data and metrics receive the same benefits? How can SMBs gain access to hard facts and ground truth to drive decisions to improve their security postures and maximize their return on investment? Unfortunately, there haven’t been a lot of great options here historically.
Until now that is. The time has come to democratize security. A seat at the security table should not be for only the elite and largest of businesses or security vendors. Small and medium-sized businesses need a seat at the table as well. Assessment should not be the exclusive domain of only those flush with cash.
As the famous quote, sometimes attributed to Sir Francis Bacon aptly states, “knowledge is power.” In security, knowledge means making more informed, educated decisions. And that can only be accomplished when the right information is accessible to all. Pay-for-play isn’t going to get SMB security maturity where it needs to be. The time for affordable assessment for all organizations has come.