Stop Wasting Time & Money on Security
Photo by Jp Valery on Unsplash

Stop Wasting Time & Money on Security

Gary Chan Gary Chan

Gary Chan

Published Jun 25, 2020
+ Follow

If you believe companies purchase security for altruistic reasons (e.g. privacy, safety, employee protection), this is the article for you. The purpose of this article is to help you save time and money by walking you through the decision-making criteria that purchasers of information security typically use, even if they don’t know it themselves. I’ve had the privilege of talking with dozens of executive decision-makers for buying information security in the past half year, let alone over my career, and these are the results that I’ve compiled.

If you’re a prospective buyer and your reasons for purchase are in the “Red Flags” section below and not the “Go Criteria” section below, it may be worth considering whether you truly intend to make a purchase before putting together security requirements and talking with vendors. If you’re a seller and your buyers meet the “Red Flags”, you may be more effective and efficient by spending time selling to companies that meet the “Go Criteria”. They'll also pay you more.

Red Flags -- Buyers are not likely to make a purchase if they meet any of these criteria:

  • The only reason for a purchase is value-based (e.g. privacy, safety, employee protection). Companies maximize profit, not your privacy or safety. Information security is a cost center. When push comes to shove (especially when times are lean, such as during a pandemic), other activities, especially revenue-generating activities, will be prioritized.
  • IT is outsourced. Most companies consider infosec to be a subset of IT. Hence, if they outsource their IT, they expect infosec to be handled by the outsourced IT team.
  • There are 3 or fewer dedicated IT staff. IT teams are generally overworked, so they’ll prioritize functionality over security, especially since the latter will oftentimes make the deployment of new functionality even harder.
  • The total infosec budget is less than 5% of the total IT budget. It’s tough to secure an organization for less than 5% of the total IT budget. If the company doesn’t have enough funding to bring every device up to at least a basic level of security, then it’s a waste of money to build security at all because hackers and insider threats will first take advantage of the weakest link. 5% of the IT budget is the minimum to keep out opportunistic hackers and insider threats.

Go Criteria -- Buyers are much more likely to make a security purchase (regardless of who the purchase is from) if the buyers meet these criteria (from most to least compelling):

  • There is a current known infosec incident taking place (e.g. ransomware, data loss, unauthorized monetary transfer).
  • There is a direct tie between the security initiative and revenue-generating activity, assuming the revenue generated is more than the security cost. Here are examples of such activities: (i) The buyer has an important prospective customer who is requiring security before they’ll purchase. (ii) The security of the buyer’s products is a market differentiator, i.e. people are buying the company’s products because they have good security. (iii) There is sufficient public pressure (e.g. Zoom) that not building security may prevent future sales.
  • They have a requirement to do so, whether it’s to meet legal, regulatory, or contractual obligations. If there are associated fines, that's an even better sign that security will be purchased. If the company’s head of legal is requiring it, then the company will almost certainly invest in security.
  • There is a strategic company event taking place, like a merger, initial public offering, major investment, or acquisition. Oftentimes, investors will take the opportunity to enforce security in order to minimize risk.
  • The company wishes to become certified or obtain a SOC 2 report. To achieve that goal, they need to improve their security.
  • They have a Chief Information Security Officer, and he/she does not report to the Chief Information Officer (or equivalent). This means that the company considers security to be a company-wide issue and not an IT issue, and this is a good sign that the company invests in security.
  • The primary decision-maker was part of a very significant infosec incident in the past, whether at that company or at a prior employer.

These are my findings after working with many companies on their information security programs. What have you found? (Please add thoughtful comments.)

About Author: Gary S. Chan is an independent technology consultant. Businesses hire Gary to solve time-sensitive and complex IT problems. He holds multiple security certifications, including a CISSP, ISSMP, CHISSP, and CFE, and a degree in Electrical Engineering & Computer Science from MIT. Contact Gary at consultant@alfizo.com.

#smallbusiness #smb #healthcare #finance

To view or add a comment, sign in

More articles by this author

See all

Others also viewed

Explore content categories