Over the weekend I attended a minor league baseball game and immediately noticed the different level of security.  Instead of the usually metal detectors and the deep scan of bags when entering a major league stadium, the security was much less instrusive and made the entry into the field much more pleasant.  That got me thinking about how we apply security to our IT assets.

The key to securing assets is applying the right level of security based on the value and needs of the asset.  Using the example of a baseball game, the assets at a major league game which includes both the players and those in attendance are much higher than those assets at a minor league game.  This is not to say the people and players at minor league game are not important or just as valuable.  But in the eyes of an attacker, attacking a major league game is much valuable than attacking a minor league game.  For IT assets, one can apply the same principle.  When looking at protecting assets, consider both internal factors and external factors.   I have found that a lot of security people just focus on the internal factors to determine the value of IT assets.  This can lead to an inflated value of the asset and spending too much on security.  Remember when determining the value of an asset, it is not so much the value the company places on the asset but the value to a would be attacker.  For instance, hackers are much more inclined to attack Microsoft than a small family owned company.  To hackers, Microsoft is a more valued attack than a small family owned company.

The point here is that spend what you need to protect your IT assets but try to avoid overspending. Spending more on IT security than you need is not going to provide you with any benefit.  That money is better spent on profit making opportunities.