How should your company think about investing in security?

Like many things in life, with the security of your company’s application, you get what you pay for. You can spend too little, too much or just right.

To find the right balance, consider Goldilocks: she goes for a walk in the woods and comes upon a house. In the house, she finds three bowls of porridge. The first is too hot, the second is too cold, but the third is just right. 

Goldilocks is the master of figuring out “just right.” To determine the appropriate security budget for your company, you need to be, too. 

How much security effort is too much?

First, let’s explore the idea of overinvesting in security. How much is too much?

At a certain point with security, you start to see diminishing returns: issues still appear but more rarely. Security is never really “done,” so it’s tricky knowing when to move on. There’s always more to do, more to find, more to fix. Knowing when to wrap up depends on your threat model, risk appetite and your unique circumstances. 

However, your company probably isn’t in this category. Almost nobody is. You certainly can get there, but you’re likely not there now. The takeaway is

Read More: https://resources.infosecinstitute.com/topic/how-should-your-company-think-about-investing-in-security/