Often, when I talk to security people, they are telling me that if they would have more budget and money available, the problem would be much lower.
Now, I have been in Qatar last week, one of the richest countries in my region. If you look at the GDP per capita (which is mainly the GDP per person), Qatar is at approx $95'000 according to the International Monetary Funds. As a comparison, Switzerland is at approx. $64'000. There we had a pretty interesting discussion about money and security.
The event I was talking at was opened by several short speeches. One person (an IT Manager) stood up and told a good story, which – from my point of view – shows the problem. He started to explain his situation. He had all the technology in place. He had Firewalls, Anti-Malware Software, IPS/IDS, etc. and he felt absolutely safe. Then a guy came and talked to him and showed him within minutes that he can be hacked without a lot of effort. From there on, he realized that he did not have the processes, organization and culture in place. His statement was, that after starting a project on that and starting to change, he probably was 50% better which already meant a big improvement.
I was then asked several times, how much do I have to invest for security? What do I have to do exactly? Where and how do I have to start?
So, what does that tell us?
- You cannot buy security (nothing new eh?). Security by hard-/software does not work
- It is – again – about people, process, technology, and partnerships.
- Security has to be adapted/tailored to each and every situation/organization
- We have to be clearer what has to be done. At a lot of events I hear that "you have to do Risk Management" or similar but we do not give good guidance on what to do (unless you pay for our services).
Money helps to drive security but it has to be in the culture of the company at the end of the day.