Too Much of a Good Thing

At Pythia Cyber, we advocate the appropriate amount of cybersecurity. Not the most possible. Not all the cybersecurity. The appropriate amount.

We all can imagine what happens if you have too little cybersecurity: you get hacked or have system failure and you lose money either in productivity or in ransom or in liability over lost or altered data. That is all bad, in obvious and well-defined ways. But how can you have too much cybersecurity?

You can tell that you have too much cybersecurity when you have either of two problems: your cybersecurity is an excessive impediment to getting work done or your are spending more than you need to spend in order to be safe enough.

What is an "excessive" impediment to getting work done? After all, pretty much all cybersecurity is an impediment to getting work done in some way or another. An excessive impediment is an impediment that either does not add any real safety or does not allow you to do your work at all. 

For example, one of our founders is still working part-time as a vendor to corporate IT, as a way of staying current. In that capacity, he recently found that one of his clients had upgraded their remote access technology and policy. The technology upgrade was ok, but the policy upgrade was a real problem. He wanted to remotely access the client's systems daily, to confirm normal operation, which used to be allowed by the old remote access technology. The new technology required a trouble ticket as part of authentication, on the assumption that all remote access is in response to an internal request for support. The new technology + policy combo does not support monitoring. Instead, the internal users would have to put in a daily trouble ticket (including weekends and holidays) which would have to be processed so that he could use that ticket to gain access. This is too big a mountain for the users to climb, especially on a daily basis, so the new remote access method precludes this kind of monitoring. Every problem will now by a surprise, requiring the users to put in a trouble ticket, and then send email requesting help.

Why monitor systems daily? So many reasons, for instance read this post. To name a few, making sure that your password is current, that your remote access tools are up-to-date and working and that if you get a support call you can get right to the support, instead of beginning the process of making sure that you still have remote access.

What is the benefit of this new technology + policy? We don't know, exactly. Was there something wrong with the industry-standard previous technology + policy? Presumably. Is dropping monitoring a reasonable price to pay for whatever safety upgrade was achieved? Perhaps. But it seems unlikely.

How do you know if you are spending more than you need to on cybersecurity? You know if you have established effective oversight and can do the cost:benefit analysis because you have both the cost (what the finance department says you spend) and the benefit (what the cybersecurity people have presented to you as evidence of their effectiveness). If you pay more but do not get more, then you have a problem.

If you do not have a handle on the benefits of your cybersecurity program, then we can help you bridge that gap by shepherding you on the journey toward getting evidence that you can understand from your cybersecurity program and providing evidence your management can understand as part of your cybersecurity operations.