How much security do you need?

A $30 Casio watch taught me the balance of security. How much security do you need? Just enough. Just enough means knowing critical business functions and assets, identifying threats, realising risks, and implementing security controls. Not more. Not less. I learnt about the phrase “just enough” from Luke Ahmed while studying for his CISSP course. Since then, it has become a metaphor. I apply “just enough” to many aspects of my personal and professional life. How much money, food, or fame do you need? Just enough. I visited Japan last year. I was in Akihabara, Tokyo, browsing watches in one of the electronic stores. A group of Indians were discussing buying a Casio watch. It grabbed my attention when one said, “President Barack Obama wears this watch.” That sold me. I bought that Casio watch. It cost me about $30. A question occurred to me while I was paying a bill. “How much do you need to spend to know the correct time?” The answer was just enough. Security works the same way. You don’t need a toy watch that only shows one fixed time. But you don’t need a $50,000 Rolex. You need a $30 Casio that displays the accurate time. Just enough. I’ve worked for a large organisation that continually purchased various security solutions for URL filtering, analytics, data loss prevention, and DDoS attacks. The result was a duplication of vendor products. The business had to allocate a separate budget to consolidate products because they were paying double license fees to achieve the same results. The “just enough” idea helps to focus on what matters. It helps to clarify what’s necessary rather than what’s fancy. I also extend the idea of “just enough” to ask another question. How many cybersecurity certifications do you need? Just enough to enhance your perception so that you can challenge yourself, talk about security and help your company and stakeholders. The concept of “just enough” strikes a balance between work and life. Lastly, how many people do I expect to read this story? Just enough 🙂 In my CISSP world, every concept is a story, an art piece, or a visual representation. Join the CISSP As An Art (CaaART) tribe, the first visual-only CISSP course.