Get Started

Go Cheap, Get Burned

  • 3 min read

Share this post

Earlier this month, while traveling with my family to Sarasota, Florida to visit my parents for the week, I got burned – both literally and figuratively. The literal part, I’m sure you can guess…

”It’s the middle of winter, for goodness sakes,” said very-pale-from-months-indoors Rob. “How strong can the sun be?” Well, apparently strong enough to get around the shadow of my baseball hat and leave me with oddly shaped patches of peeling skin on either side of my face. Having grown up in Florida, you’d think I would have learned this lesson. Ouch.

The figurative part relates to the way I “cleverly” saved the Black family money by renting a minivan online through a tiny, off-brand car rental company. (Don’t ask, you’ve never heard of them.)

Because when we showed up at the counter, and despite having prepaid for the rental … they had no minivans left. Oops, we apologize for any inconvenience. So off we went to Avis and rented a minivan in minutes – at three times the price.

Clearly, this was a judgement error on my part. Yes, there was money to be saved, but as we discovered, it came with a significant risk.

Compare that to our airline flight. Instead of flying direct to Sarasota, we went to Tampa (which is 90 minutes away) because it’s less expensive. Plus, we booked a cheaper flight that landed at 1 am. (Have you noticed I like saving money?) However, this wasn’t an error – our flight went exactly as planned. 

There’s an important difference between these two strategies:

A bad car rental stays with you every day for your entire vacation. Had we been unable to find another minivan, it would have made for a very uncomfortable week. An inconvenient flight, on the other hand, is a distant memory by the following day.

Likewise, your cybersecurity strategy has tradeoffs. And, as with my recent travel experience, some of these tradeoffs can have serious and long-lasting consequences if you make the wrong choice. 

For example, there are many, many things you can do to quickly improve your company’s cybersecurity posture. They are inexpensive and, like an inconvenient flight time, the “pain” of putting them in place is far outweighed by the overall benefit.

Examples include:

  • Implementing Multi-Factor Authentication (MFA)
  • Performing cybersecurity awareness training (when none is in place)
  • Configuring your company’s DNS properly
  • Turning on encryption on all your company laptops
  • Reviewing who has access to key systems and removing those who no longer need it

Of course, over time, people or devices can change and some things may slip through the cracks. But these kinds of protections are infrequent activities with minimal time commitment that have a dramatic positive effect and raise your security bar significantly.

On the other side of the equation are things for which taking the cheap approach can have significant, negative impacts.

Examples here include:

  • Not holding regular meetings regarding security initiatives and/or putting no one in charge
  • Implementing traditional anti-virus (AV) over the much more effective Endpoint Detection and Response (EDR) [Note: AV is certainly better than nothing and probably fine on your home network. But the bad guys have really upped their game and it’s no longer sufficient in today’s environment.]
  • Logging, but not doing it comprehensively or only keeping 90 days of results

And, perhaps the biggest cost-saving blunder of all, choosing a terrible vendor for your cybersecurity. Here, like renting a car from a low-end company, while you will save money in the short term, you may very well discover that you get what you pay for. 

For example, performative actions related to things like vulnerability scanning or monitoring without also looking at the results on a regular basis. This is the cybersecurity equivalent of installing fire alarm pull boxes in your office but not connecting them to anything. While this may help you from a compliance standpoint, it does little to keep you safe.

Choose Carefully

We regularly help clients (and non-clients) figure out the most cost-effective ways to improve their security programs. It’s amazing what a few thousand dollars and some determination can do to improve a program of a medium-sized organization.

But I get it; as I mentioned, I don’t like spending money unnecessarily either. The key is to think carefully about where you need to invest and where you can safely cut corners. Not every dollar spent is of equal value.

Speaking of which, if you know where I can buy some discount – but high quality! – sunscreen, please be in touch.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black
Rob founded Fractional CISO in 2017 and has helped dozens of mid-size SaaS and technology companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).

Tales From The Click

Sign up for our monthly newsletter for business leaders on minimizing cybersecurity risk.

Suceed at SOC 2

Free eBook:
5 Things to Know for your First SOC 2

  • How to scope your SOC 2
  • Estimate the cost and length of your SOC 2
  • Prepare for your SOC 2
  • Manage the SOC 2 audit period
  • Leverage your SOC 2 for growth

Related Posts

Just Show Up

Rob Black

The NIST Cybersecurity Framework is Secretly a Communication Framework!

Elazje Carillo

What to Know About Encryption Now, at the Dawn of the Quantum Era

RJ Russell
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales