was asked a really interesting question in an interview yesterday: given a budget, which areas of security spending produce the greatest and worst (or negative) ROI?
my answer:
positive: SSO/OAuth, hardware keys
worst: DAST, DLP, honorable mention to poorly configured IDS’s
what’s your answer?
my answer:
positive: SSO/OAuth, hardware keys
worst: DAST, DLP, honorable mention to poorly configured IDS’s
what’s your answer?
Comments
-: phishing training, dependency scanners
Best: Managed Ad blocking, password manager licenses for all employees.
Worst: “secure” email portals, phishing training, needlessly draconian vulnerability scans without context
negative: investing in detection before investing in the above
no joke, this guy was some of the highest ROI i've seen
worst: phishing training
Accountability/compliance processes that generate a binder of paper are negative ROI. They're fiction when they're printed & only get worse as they age.