I came across this article comparing federal IT spending to “fixie” bikes. The author suggests you can accomplish about 85% of what is really needed for around 10% of a project’s cost. Of course Pareto’s Principle comes to mind here where “roughly 80% of the effects come from 20% of the causes.” Relating to large bureaucratic organizations … how much time and resources do we waste on causes (i.e., our hard work) that have minimal effects? Probably 80% but the hard part is determining the right 20% of causes to focus on. In hindsight this is easy so it works well for similar or recurring projects like the fixie and federal IT projects in the fixie story.
So how does this fixie idea relate to information security? As many with a few years in the security industry will attest to, projects and operations come in all shapes and sizes but there seems to be some fairly standard security requirements along with some basic tactics for achieving them. From a preventative perspective the ASD has probably done the best job of showing the 20% to focus on. Complimenting ASD’s preventative techniques is security monitoring, specifically detecting and responding to attacks. Whether you are concerned with what logs to dump into your SIEM or which events to analyze, a little statistical analysis can lead to the right 20% to focus on for your organization.
Todays post pic is from Sepedakita.com.