Everyone loves shiny new toys

Back when they were common place, I recall going into my local bait and tackle store and seeing a display of fishing lures on the counter touting some super power or other that would almost guarantee you’d catch more fish. I asked Steve, the shop owner who I’d known for some years his opinion, and his reply has remained with me ever since. 

“You know what Simon, some lures are designed to catch fish, others are designed to catch fishermen. This one is designed to catch fishermen.”

This advice has served me well in the many intervening years, across many different sets of products. 

In the last few years, with cyber security becoming a concern at all levels of busienss, I am observing far too many decision makers failing to fully consider whether their security expenditure is the most suitable for their organisation. 

There are a number of broad questions that should be asked with any security investment, cyber or otherwise, that will assist in evaluating any expenditure. 

What problem does it solve or what risk does it mitigate for my organisation? 

In the physical security world, we’d find it laughable to deploy a team of Ghurkhas, SEALS, and SAS soldiers to stop kids sneaking in alcohol into a party. Same principle in cyber security – just because a product solves a problem, is it a problem that you need to solve? If you’re not a target for state sponsored hackers, then maybe an APT detection product isn’t the best solution for you. 

Across the spectrum of risks that my organisation faces, does this address a high priority risk or a low priority risk?

Similar to the previous question; is this the best, or at least a good use of my organisation’s resources. Start with the basics. Ensure you have systems and processes in place for patching, identity and access management, encryption, data classification, perimeter security etc. If you have internet connected devices with default credentials or known vulnerabilities, then maybe you should address this before you worry about real time network forensics. 

Can I do something with the output that this solution provides?

There’s a world of difference between information and intelligence. If a solution gives you information that you don’t have the ability to action, does it add any value? Once you know someone from China or Russia has logged into your systems, do you have the ability to assess whether it is genuine or malicious, then block or remove them if it is malicious?

What am I protecting, and why?

Your systems, your processes, and your information all have a value to your organisation. How much value does the solution you are considering protect? A solution that prevents your manufacturing systems going offline for days or weeks may protect a great deal of value, whereas data leakage prevention for information that’s available from your public facing web site less so. 

How does this fit in with my overall security strategy?

As an organisation’s security posture matures, though ideally for all organisations, there will be a security strategy that identifies risks, priorities, and opportunities in the business context. Does this solution align with and assist with progressing that strategy?

Will it integrate with my existing tool set?

If you already have security tools and systems in place, the ability to integrate a new solution into your existing environment is an important consideration. If a product is going to result in a disparate set of notifications that reduce the likelihood of them being actioned correctly, is there a product that will better integrate, or has the cost to integrate been allowed for?

How will it be supported?

It’s all well and good to have the latest, greatest products, however for technology to be effective, it requires support, maintenance, and updates in order to remain effective. Has support; both availability and expense been evaluated as part of the product assessment? What is the product support lifecycle, and will it be adequately supported for as long as you are expecting it to be in use?

There are of course all the other questions to ask as should be the case with any expenditure such as “Can I afford it?” and “Is this the right vendor?”

So, next time your preparing to spend your hard-earned cash on a security solution, just remember to question whether they are fishing for fish or fishing for fishermen. 


If you would like some assistance improving your cyber security get in touch with us today.


Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Simon Pollak is the principal consultant at STSC

You can follow him at https://au.linkedin.com/in/simonpollak  

This article was first published in Issue 6 of Australian CyberSecurity Magaxine