If you have ever taken a course in economics, then you should know a thing or two about the law of diminishing returns. It may very well be the subject’s most famous and immediately recognizable principle. Here is the gist of it; there is a point at which the cost of continuing to add inputs into production stops being worth the value of the outputs produced.
In the context of software development, this principle is known as Brooks’ Law: a theory that states, “adding manpower to a late software project makes it later.”
So, the concept of diminishing returns is applicable in both economics and software development, but does it mean anything in the world of cybersecurity? Of course, it does! At its core, cybersecurity is about efficiency, vigilance, and cunning much more than it is about piling on investment after investment in infrastructure.
Case in point: Target. In 2013, Target was the victim of one of the most devastating corporate hacks of the 21st Century. Hackers were able to steal the data from as many as 40 million credit and debit card numbers from shoppers who had visited company locations during that holiday season.
Last year, Target finally settled claims by 47 states and the District of Columbia for a total of $18.5 million, and the full scope of the breach itself cost an estimated $202 million.
But it was not as if Target had not made considerable investments in their cybersecurity framework. They had a robust security staff, were PCI DSS validated, and six months before the attack, the company had begun installing a $1.6 million malware detection tool.
They had all the right pieces, but insufficient employee training and a lack of awareness of proper procedure were enough to allow the one of the biggest breaches in recent memory.
In the weeks before the breach, Target's $1.6 million malware detection tool picked up two network intrusions, but their security team did not heed those warnings. On December 12th of that year, Federal law enforcement alerted Target that it had found evidence of an intrusion, but Target’s security staff still did not act to secure its network until three days later. By then, their data was already compromised.
This cautionary tale goes to show that excessive input into an expensive system will not be worth its output if it is not bolstered by comprehensive employee training, proper cyber hygiene, and constant vigilance from both inside the company and by trained third parties.
If you want your security program to dodge diminishing returns, take the time to learn how to invest wisely and efficiently. You should also always make sure that your employees are up to speed on how to handle cybersecurity problems as they arise.
One solid way to do that is a security Risk Assessment. This looks at your specific situation - assets, threat landscape, risk tolerance and develops a risk treatment plan to address the most important risks in a way that suits your budget. But do it right, so you don't get all the spend without the ROI.