10 Questions for Devising a ‘Goldilocks’ Approach to Cybersecurity

“Eventually, every business will experience some sort of breach.”

That was among the assertions in a recent communication from IT solutions provider Logicalis US, mirroring conventional wisdom about the growing volume and sophistication of cyber-attacks.

But amid the well-founded cacophony of advice about the importance of ensuring the security of your and your clients’ networks, a new somewhat-countervailing message is slowly gaining favor: That not all digital assets need protecting, or at least, not the same level of protection.

“No one should buy a $1,000 safe to protect a $100 bill,” Logicalis IT security expert Jason Malacko said.

That sentiment is in line with comments made recently by Mike Baker, owner of Phoenix, Ariz.,-based managed security service provider (MSSP) Mosaic 451, who cautioned that cybersecurity strategies of many organizations were either inadequate or go too far.

“Security fetishists will tell you that everything needs to be secure,” Baker told MSPmentor. “I don’t believe that.”

Increasingly, voices of reason are emerging that caution against superfluous security products and services that end up costing more than the potential damage of a breach.

As a managed service provider (MSP) or MSSP seeking deeper relationships with customers, truly acting in the capacity of a virtual CIO or valued partner means advising your clients when not to spend money on unnecessary measures.

Like the storybook, an efficacious cybersecurity strategy should avoid being too much or too little.

To that end, Logicalis recently offered up a list of 10 security questions every CIO should be able to answer in committing to a cyber-defense plan that Goldilocks would love:

1. If you knew that your company was going to be breached tomorrow, what would you do differently today?
2. Has your company ever been breached? How do you know?
3. What assets am I protecting, what am I protecting them from (i.e., theft, destruction, compromise), and who am I protecting them from (i.e. cybercriminals or even insiders)?
4. What damage will we sustain if we are breached (i.e., financial loss, reputation, regulatory fines, loss of competitive advantage)?
5. Have you moved beyond an “inside vs. outside” perimeter-based approach to information security?
6. Does your IT security implementation match your business-centric security policies? Does it rely on written policies, technical controls or both?
7. What is your security strategy for IoT (also known as “the Internet of threat”)?
8. What is your security strategy for “anywhere, anytime, any device” mobility?
9. Do you have an incident response plan in place?
10. What is your remediation process? Can you recover lost data and prevent a similar attack from happening again?

For many SMBs and other organizations, contracted service providers will often be in the best position to frame and devise answers to these questions in a way that ensures the protection of critical assets.

And as the consultative value of MSPs and MSSPs becomes a more critical point of differentiation among offerings, helping clients control costs by advising them to forego products and services they don’t necessarily need is as important as ever.

Send tips and news to MSPmentorNews@Penton.com.