Cybersecurity seems to dominate our lives. So much of our lives are dependent upon the Internet as we use connected devices to manage our shopping, finances and communications. The amount of data consumed and copied worldwide in 2010 was about 2 zettabytes. The amount predicted for 2024 is 147 zettabytes – almost 7500% growth in 14 years!
Data is an asset. And like any asset, it needs to be protected. But how much protection is enough?
Security Is Risk Management
The first thing to understand about security is that it is fundamentally about risk management, not elimination. Perfect security does not exist. Every organization operates with residual risk, and the goal is to bring that risk to an acceptable level given the organization's risk appetite and the cost of controls.
This sounds obvious, but it has significant practical implications. It means that:
- Security spending decisions should be driven by risk analysis, not by what competitors are doing or what a vendor is selling
- The right security controls for a regional bank are not the same as the right controls for a healthcare provider or a manufacturing company
- Compliance with a framework (SOC 2, ISO 27001, HIPAA) does not equal security — it means you've met a set of defined requirements that were designed to address common risks in a particular context
The "How Much Is Enough?" Question
This is the question boards ask CISOs, and it's the right question. The honest answer has three parts:
Enough to protect what matters most. Every organization has crown jewels — the data, systems, or capabilities that, if compromised, would cause the most damage. Security investment should be concentrated here first.
Enough to meet your legal and contractual obligations. Regulatory requirements, contractual SLAs, and liability exposure all create a floor for security investment. Falling below this floor creates legal and financial risk beyond the security risk itself.
Enough to be consistent with your risk tolerance. Some organizations are risk-acceptant. Others are risk-averse. Your security posture should reflect a deliberate decision about where your organization sits on this spectrum, not an accident of underfunding or over-engineering.
The Role of Frameworks
Frameworks like NIST CSF, ISO 27001, SOC 2, and CIS Controls provide useful starting points. They represent the accumulated experience of the security community about what controls matter and why.
But they are starting points, not destinations. A framework tells you what to consider; your risk assessment tells you what to prioritize.
Organizations that implement frameworks without doing risk assessments often end up with expensive compliance programs that don't actually reduce their most significant risks. They've checked the boxes but haven't addressed the question.
What "Enough" Looks Like in Practice
In my experience, organizations that get security right tend to share a few characteristics:
They know their risks. They've done the work to understand what they're protecting, what the threat landscape looks like for their industry, and where their current controls fall short.
They can explain their security posture to non-technical stakeholders. The board doesn't need to understand technical controls. They need to understand risk levels, investment rationale, and what residual risk remains. A CISO who can communicate in these terms is more effective than one who defaults to technical jargon.
They revisit "enough" regularly. The threat landscape changes. Business operations change. A security posture that was appropriate two years ago may not be appropriate today. Security programs need regular review and adjustment.
They treat security as a business enabler, not just a cost center. The organizations that have the hardest time getting security investment are the ones where security is perceived as a drag on the business. The organizations that get it right understand that security enables the business to operate with confidence — and communicate that value effectively.
The Bottom Line
How much security is enough? Enough to manage your risks to an acceptable level, given who you are, what you do, and what you're protecting.
The answer requires understanding your risks, not just implementing controls. And it requires honest conversations between security teams and business leadership about risk tolerance, investment, and accountability.
That's hard work. But it's the right kind of hard work.