Do you really know the business value of all your Data? What is the value of your Data if exfiltrated by a determined attacker and placed in the Public domain? What is the reputational damage value of data leakage versus the perceived commercial value? Do you protect your Data based merely on what an industry regulator prescribes/recommends, or do you base your protection on the true value of the Data to your company's competitive position?
All of these questions should be asked within an Enterprise, understood and quantified. Only once this has been done can you truly determine how to most cost effectively protect your data from the all-to-frequent security breach and exfiltration. Determining a considered answer to these questions is distincly difficult, for instance, do you protect your HQ geography and perhaps treat remote/international geographies as 'semi-trusted', or do you even trust anything outside of your Data Centre estate itself? The complexity of arriving at answers to these questions is truly a challenge and all-to-often ignored but without the answers to them, the Board of any company is effectively operating in the dark.
Only until these questions have even high-level answers can you truly put a value on your Data, from a business context and therefore assign the appropriate level of budget to protect it. In Ballintrae's experience, very few Enterprises have asked themselves these hard questions and hence IT Security budget allocation is often very misguided. Be informed - invest in asking the difficult questions, so as you can act cost effectively.
Ballintrae can't tell you the business context of your data (it's your business and your data afterall), however, we can assist with facilitating a programme of work to establish a high-level contextual position. Once you've reached this enlightened position, IT Security investment & operational spend becomes self-evident. Contact Us if you'd like to discuss how we can help you.