Are You Spending Too Much or Too Little on Security?
Canon Information Security Director Quentyn Taylor on Measuring How Much Is 'Enough'How do you know whether your organization has invested enough money and time in security? As director of information security for Canon EMEA, Quentyn Taylor is often asked this question. "I'll be honest with you - just to set some expectations here, I don't have the correct answer," he admits.
See Also: The Gorilla Guide to Modern Data Protection
Taylor recommends that you ask your senior stakeholders, "What do you expect?" and then add, "I can't stop everything." He says it is the security leader's responsibility to educate key stakeholders "who are signing off on all your money, and to say, 'I can't stop everything, and neither should I stop everything.'"
"If I stop everything and try and reduce risk down to zero, which is impossible, then I'm also going to throw away huge amounts of opportunity that you're just not going to be able to use to be able to realize revenue," Taylor says,
When it comes to securing the supply chain and working with partners, Taylor advises, "make sure that you apply an appropriate level of control" and are prepared to answer these questions: "What's the value of the assets we have down here? How much money do we spend with them? How quickly can we change away from them?"
In this video interview with Information Security Media Group, Taylor discusses:
- How to gauge whether your organization has invested enough in security;
- Why benchmarking against peers is not the answer;
- Why the information security community must help organizations that are "below the InfoSec poverty line."
Taylor is director of information security for Europe, the Middle East and Africa at Canon, an imaging equipment and information systems provider. Before joining Canon, he worked in a variety of businesses, including internet service providers and startups.