was asked a really interesting question in an interview yesterday: given a budget, which areas of security spending produce the greatest and worst (or negative) ROI? my answer: positive: SSO/OAuth, hardware keys worst: DAST, DLP, honorable mention to poorly configured IDS’s what’s your answer? - ThreadSky

april.social • 169 days ago

was asked a really interesting question in an interview yesterday: given a budget, which areas of security spending produce the greatest and worst (or negative) ROI?

my answer:

positive: SSO/OAuth, hardware keys

worst: DAST, DLP, honorable mention to poorly configured IDS’s

what’s your answer?

Comments

evaristegal0is.bsky.social•169 days ago

+: webauthn, infrastructure logs
-: phishing training, dependency scanners

yoloing.bsky.social•169 days ago

A large Security engineering partner team for driving security standard implementation. Working with SA/Dev teams ensure design has no flaws, working with dev team on code security, cloud security, etc. secure by design.

yoloing.bsky.social•169 days ago

Driving Standard implementation: cadences with dev teams to detect non standard stuff, work with them to address( e.g, SSO/MFA, golden container/image, onboarding to enterprise ci/cd pipeline where scanning tool is built in, ensure cloud security violations are addressed, etc…)

yoloing.bsky.social•169 days ago

Imo, in addition to the nessasary security tools needed, it’s the security engineers you have to spend the majority of the money on. Bringing in engineers with different specialized skills, e.g, cloud security, app security,continent security, CI/CD expert, OT security, process improvement,

yoloing.bsky.social•169 days ago

As a team with diverse skills, this team should be handle all different situations within the enterprise.

chizang.net•169 days ago

Buying every employee a new pet so they can reset their "name of favorite pet" security question.

hosom.bsky.social•169 days ago

Skipping the things you’ve mentioned,

Best: Managed Ad blocking, password manager licenses for all employees.

Worst: “secure” email portals, phishing training, needlessly draconian vulnerability scans without context

mikisec.bsky.social•169 days ago

I wonder, why did you put "phishing training" inside the worst category?

clef-tes.bsky.social•169 days ago

Because it's dubiously effective at the best of times and it usually just annoys employees

hosom.bsky.social•169 days ago

This. Anything that contributes to an adversarial relationship between security and other parts of the business is a net security loss.

markstjohn.bsky.social•169 days ago

positive: inventory management, sso

negative: investing in detection before investing in the above

johnstokvis.com•169 days ago

i'm not a security person, but having done all sorts of trainings, compliance, password management, security keys, etc.

no joke, this guy was some of the highest ROI i've seen

permadeath.com•169 days ago

best: good domain/DNS/CIDR management practices

worst: phishing training

april.social•169 days ago

phishing training 🤢🤢🤮

permadeath.com•169 days ago

it doesn't work, it might make things worse, our employees hate it - let's make it required!

markdowling.bsky.social•169 days ago

This stuff is even more fun when you want to follow the more productive practices, but customers who demanded the right to audit your security practices require you to retain outdated/unproductive ones on pain of a “high finding”

nickeberts.dev•169 days ago

I’m in phish training too.

jurph.bsky.social•168 days ago

Inventory produces huge positive ROI because it finds things you didn't know about & establishes the political will to ban Shadow IT.

Accountability/compliance processes that generate a binder of paper are negative ROI. They're fiction when they're printed & only get worse as they age.

paypriestess.bsky.social•169 days ago

Shut up about DLP that's free entertainment

doshch.bsky.social•169 days ago

Worst: DLP, third-party WAF, commercial asset inventory products (if you need one, you’re not doing IaC properly), any AI-powered security product from big corps that promises to magically solve all problems.

geraintultimus.bsky.social•169 days ago

Worst are two guards, one who lies and one who tells the truth.

bolivarfiles.com•169 days ago

DLP... all DLP is just fancy regex and it sucks the big one.

Comments

Posting Rules

Reply