was asked a really interesting question in an interview yesterday: given a budget, which areas of security spending produce the greatest and worst (or negative) ROI?

my answer:

positive: SSO/OAuth, hardware keys

worst: DAST, DLP, honorable mention to poorly configured IDS’s

what’s your answer?

@april kinda surprised "patching / update enforcement" wasn't in your "so cheap it should be illegal" positive side

@april positive : yearly security training, SAST, SCA, patching

worst: random phishing "tests”

Of course, in order to get a lot of those positives, you need proper policies with enforcement. SAST/SCA can be a huge plus, but only if their use is enforced.

@mikeymikey that’s a good one too. i’ve never really had to buy it (at least for the client-side) since it’s usually something owned by IT and not security.

on the code and server side, the products available are certainly a mixed bag.

@april best: org specific tweaks on existing stuff
Worst: buy and forget

@april "turning old/little used stuff off & migrating people to your current systems".

@XenoPhage

@april

That's odd. I haven't been on the IT/cybersecurity career path for over a decade now, but as a user with SOME background in the field, I thought the phishing tests at my company have been very good outreach to users about taking security threats seriously.

I'm guessing our disagreement stems from a difference in perspective, so I'm curious to hear more about your thoughts on the practice.

I do know that a couple of my phishing attempt reports have gotten exasperated "This is official communication from our company..." in response, to which my obvious retort is "Then why does our official communication look so much like phishing?"

@XenoPhage

@april

In other words, don't automatically send out emails of the form, "Hey, there's an important new policy that you need to know about! Click here to learn more: "

@squeakyears @XenoPhage phishing exercises erode people’s trust in their security departments while also providing dubious long-term benefits of any kind.

@april I'm curious, why DAST on the negative list? Just poor results compared to amount of money spent or other reasons?