I’ve travelled all over the internet, I’ve worked with logs of organisations from banks through to small ISVs and one thing I would say is fairly universally true. What can be isn’t what is.
There’s a lot of different operating models and technologies in the world. There’s logs of differen’t specifics. This diagram here is not mean’t as a refrence architecture but more as an indicator.
There is also a massive reality people must understand, cyber good most definatley costs more at the point of deployment than cyber bad. Cyber bad’s ROI is truly variable and in mind mind is too hard to measure. For one org with cyber bad can experiance a significant breach (and cost) and another may have lady luck on their side.
When we think about cyber security TCO and ROI if we do so just in isolation with a view on simply “RISK” we are missing part of the TCO and ROI picture.
Security is a property, much like efficacy, quality, durability, resiliance, safetey and value.
Without viewing security investment holistically, making governance decisions (or simply financial ones) is being left to either a wapred view of the world (FUD works here) which focuses less on business value and more on doomsday scenarios (or the invesrse).
What organisational leaders need to realise is that security can’t be manged i isolation, when you silo security out of the business value position you don’t get the whole picture, and neither do your security advisors.
The key here is to find the right balance in alignmend with legal, regulatory, market and organisational objectices (and constraints).
I can say this however, if your estate is covered in cyber bad… at some point the “cyber reaper” (lulz) will probably come knocking (history is showing us this!) and that the tides are changing. The wild wide west of MSPs and poor security postures is likely going to come under preasure from goverments, lawmakers and the market (customers and business partners). If your business is heading for some form of “cyber good” it’s going to be left behind. (And a friend has rightly said the insurance market is going to be playing a part now they have/are adjusting their pay out positions – thanks Gavin Ashton)