How to
Jack Danahy
Dec 2015

The 3rd Day of Breach-mas: 3 Questions to Ask Before Spending a Dime on Cybersecurity

Editor’s note: This is the third post in our “12 Days of Breach-mas” series — every day we’re sharing new tips and insights to help keep you more secure. For a recap of what you may have missed, see our summary post here.


With high-profile data breaches continuing to make headlines with disturbing regularity, the general consensus on the cybersecurity front is that we need to be doing more. Of course, the $100 billion dollar question is, doing more of what?

Companies can continue to throw more money at security, but until they put in the necessary work to determine their actual needs and funnel their funds appropriately, they could do just as well to light it on fire. 

Not that the cybersecurity industry makes things easy. With a bewildering array of solutions available and an overwhelming amount of jargon to wade through, it can be incredibly difficult to determine what’s what, let alone what’s right for you. 

3 Questions to Ask Before Spending a Dime on Cybersecurity

To cut through the noise you’ll need to narrow down your focus and develop a more specific idea of what you’re looking for. That means stepping back and performing a diagnostic self-evaluation by asking three simple core questions:

  1. Why do we need better security?
  2. What are we trying to secure?
  3. What will happen if we don’t get this right?

Or, as I like to refer to them:

  1. The why
  2. The what
  3. The who gets fired

Let’s take a deeper dive into what you can surface from each.

1) The Why: Why do we need better security?

A common approach when you’re just starting out with security is to look at what other companies are doing and use that as a basis for your own decision making. While that can be helpful, you’ll always better served ironing out your own unique problems and needs first. Otherwise, you can find yourself drawn to a seemingly popular solution that addresses others’ problems, but not your own.

By asking this question, you can develop sharper clarity around your organization’s motivations for improving security in the first place. Have you suffered a data breach? Are you worried about employees falling for phishing scams? Is your priority to prevent downtime or to protect personal customer information?

From there, try to understand the specific reasons your organization isn’t secure enough and develop focused goals around what you want to accomplish. The point is to hone in on the kinds of security solutions that are going to help not just anyone, but you, specifically.

For more help investigating solutions, see "How to Evaluate and Choose the Best Security Solutions for 2016". 

2) The What: What are we trying to secure?

For many, the gut reaction to this question is "my networks," but when pressed or when given more time to think, others might answer, "my data," "my business," "my reputation," or "my time."

Depending on your goal, your answer can then lead to a litany of other questions that will help you build an inventory of the assets you need to protect and develop even more clarity around your specific needs.

  • What are your critical assets?
  • What is your current state of coverage for those assets?
  • What are your gaps?

Answering these questions will help you move away from the ineffective task of vaguely trying to protect everything from everything to a general degree.

Remember, it is impossible to make an informed decision about any security solution or approach until you know what it is you are supposed to secure and how secure it has to be.

3) The Who Gets Fired: What will happen if we don’t get this right?

This is another crucial question to ask at the start of any new security initiative. That’s because knowing whether what you’re setting out to do is imperative or just interesting will make all the difference when it comes time to make tough but necessary choices.

If failure will mean the loss of jobs, revenue, and reputation, you can likely expect robust executive support for purchasing and implementing solutions, even if doing so means disrupting the status quo.

If, on the other hand, failure has less significant consequences, that may inform your decision to either push hard or compromise when you’re facing the chilly realities of funding, inconvenience, and change.


Key Takeaway

Before you spend a dime on security you need to develop both clarity and leadership buy-in around your top priorities and goals. 

Stay tuned for more actionable tips and advice during our “12 Days of Breach-mas” by subscribing to our blog below.

Jack Danahy

Jack Danahy

Jack is a 25-year-veteran in the security industry. Prior to co-founding Barkly he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.