The Best Information Security Investment? Dinner.Security costs can skyrocket but some small investments can yield long-term benefits. By: Rob Lelewski
One of the benefits of my position at Secureworks® is access to the C-Suites of organizations from a variety of different industries during my consulting engagements. This affords me the ability to pick up useful bits of direct "in-the-trenches" information regarding what is working and – perhaps more important – what isn't working in organizations concerning information security.
One of my favorite questions to ask is, "What has been your most valuable information security investment?"
The question typically solicits a variety of answers: a recent investment in a SIEM, a new software package, strategic investments in personnel such as a new hire or specialized training, a strategic phishing campaign, or a recent penetration test that enabled them to nip a threat in the bud.
Recently, I asked the CISO for a financial institution my favorite question and I received an unexpected response: "Dinner. The best line-item in my budget is $4,000 earmarked for dinners."
Befuddled, I asked her to explain.
"Every year, I make sure to take out the agents from the local FBI field office for the best steak in town. Last year, when I needed to chat with someone from law enforcement about a concern, I had a relationship built and am not calling the general contact number." She then went on to provide examples of how she made sure to get to know other CISOs in the region. Last year, when another CISO was facing a mutual security challenge, the trust they had built paid dividends by enabling peers to collaborate on possible solutions to benefit both organizations.
From my perspective, organizations often overlook the value of developing professional relationships with colleagues outside of their organization. This happens for a variety of reasons, ranging from the time needed to develop these relationships to the stigma of discussing failures and challenges. As I'm sure many of you reading this may have experienced, having a friend with just the right expertise, especially during a time of crisis, is immensely helpful.
We all know that the cost of security can add up; however, we frequently forget that external and internal relationships pay dividends both in a time of need and as everyday challenges are confronted and it's all too easy to become siloed. Information security is a team sport and we're all in this together.
Go make a friend; invite someone to dinner.