I was lucky enough to recently take part in a roundtable discussion of an FBI cybercrime survey. One finding stood out: those companies investing the most in protection also reported the most security-related issues.

What does this mean? Is there some way that more security actually attracts attacks?

Well, no - just the opposite, in fact. Companies without adequate resources devoted to security are being attacked — they just don’t know it. The lack of a security solution isn’t protecting them. The lack of information is blinding them.

Even companies who’ve invested — sometimes heavily — in security point solutions suffer from security information problems. In such cases, there’s too much information.

That’s because security point solutions’ event logs make no distinction between serious problems and minor ones. The answer is, of course, to analyze these events over a specified timeframe, correlating them to a vulnerability index that prioritizes them. Thus armed, security managers have a much-improved grasp of the threats they face and where their vulnerabilities lie — and can focus their security resources accordingly, often reducing security costs.

But this takes both substantial effort and significant expertise. I strongly encourage exploration of these issues within one’s own organization at any phase — whether for analysis, planning, design, implementation, operations, or optimization. For many, the most cost-effective way to do this is via an experienced, trustworthy managed security services provider.