Is your organization spending too much on security? Too little? What should you be doing differently to protect your organization’s IT assets?

The answer to these questions is simple: Don’t be a turkey.

A turkey is fed for 1,000 days by a butcher, and every day confirms to the turkey and the turkey’s risk management department and the turkey’s analytical department that the butcher loves turkeys, and every day brings more confidence to the statement. But on day 1,001 there will be a surprise for the turkey.” – Nassim Taleb, from Antifragile: Things That Gain From Disorder

Organizations of every type struggle with correctly allocating resources toward IT security. For business leaders, IT security is often perceived as a wishing well – just throw money in and hope for the best. Sometimes this perspective is even cultivated by IT leaders who are not able to quantify the value of IT security or how to evaluate whether security efforts are actually working to protect the organization. This perspective often leads to the business eventually starving IT for resources because it perceives the technology department as a cost center that can’t justify itself.

How leaders of both IT and the business respond to this state of affairs is what marks those businesses either as turkeys just waiting for the butcher, or as free birds. We propose three steps to avoid being an IT security turkey.

Step 1: Separate your spending on security and other IT

The first step is to embrace the idea that spending on IT security is not the same as spending on other IT initiatives. Businesses that look at all IT spending as a single, homogenous outlay need to be brought into the 21st century. Just as we don’t look at investments in the same way as insurance, money spent to enable the business to do things faster, better and more efficiently should not be lumped together (mentally or operationally) with money spent to identify, mitigate, avoid, transfer or accept risks. When we do this, we most likely end up misallocating our resources – especially in a resource-constrained environment (unless we are also doing a good job at step 3, below). As organizations are allocating their IT spend, leaders need to ensure that they are thinking about and justifying IT investments in a different way than IT risk spending. In some organizations, it may even make sense to segregate the security function from the rest of the IT organization in order to make this easier to do.

Step 2: Develop a healthy sense of paranoia about IT security

The second step that organizations can take to avoid the butcher with regards to IT security is to cultivate a healthy amount of IT security paranoia – everything is not going to be okay unless you do something about it! If you are reading this then you probably at least have IT security on your radar. You have to fight the urge to become complacent about IT security because it appears to be complex, expensive, and hard work.  It can be all of those things, but leaders don’t shy away from a challenge. An organization that values security and truly embraces a defense-in-depth strategy is driven from the top down. If you are an executive, this means you! If you don’t prioritize it who will? If you are not at the top, what can you do to establish a defense-in-depth approach and a security culture? You’ll have to work to find executive sponsorship to drive this approach/culture throughout the organization (scare tactics  can be very effective to demonstrate this point). Finally, if your IT security team is not filled with some of the most paranoid individuals in your organization, then maybe you need to rethink how you fill these roles.

Step 3: Assess your IT security risks often, from inside and out

The final step to avoid being an IT security turkey is to regularly assess your IT security risk. If your organization has never performed an IT security risk assessment, then you don’t have a sound basis to judge whether your organization is spending too much or too little, or even prioritizing IT security initiatives correctly. If you have up-to-date skills in house to self-assess your security risk but haven’t done it yet, there’s no better time than the present to get it done! If you don’t have these skills, or if you or your security team are totally swamped with other initiatives (very common), this doesn’t exempt you from your responsibility to perform your due diligence. In such cases, you should think seriously about carving out some budget and hiring a third party to assist you in performing an IT security risk assessment. Third-party organizations also have the benefit of witnessing the newest attack methods (in the wild), and a fresh outside perspective that you may not necessarily have internally. It is a common best practice to rotate between internal and external assessments on a three-year cycle: two years for internal audit, and one year for external assessment.

Unfortunately, in cases where individuals are having trouble getting executive sponsorship for security, management will sometimes listen to an outsider more readily than to their own staff. In these cases, risk assessments can also be used to generate a healthy dose of fear to help prod complacent (turkey) management teams off the “X” (out from under the butcher’s knife) and into taking IT security more seriously.

In our experience at Sirius, if you and your organization are able to apply the three steps above, you’ll be much more likely to avoid the turkey’s fate when your IT security is tested.

Sirius security consultants assist our clients by first understanding each organization’s unique information security requirements, and then applying our industry standards-based assessment methodology to identify potential security control gaps. This approach allows our team to make informed and vendor-agnostic recommendations about potential risk mitigation strategies, security controls and priorities.

For information about Sirius’ Security Risk Assessment services: