In business world, resources are limited and must be best utilized for purpose.
How much protection is sufficient, especially in the cyber world? It depends on the severity of the consequence driven from social impact and regulatory compliance.
Take network firewall as example. Its purpose is to regulate network traffic to filter unwanted connections. Itis deployed to connect different systems because systems are now no longer standalone. Communications are needed for information exchange while denying unwanted network traffic.
The use of protection measure will require considering the TCO (Total Cost of Ownership) in optimizing the resources. This is not just money but also the human efforts to sustain. To name a few of the maintenance overheads:
- Plan ahead before the component(s) enters into End of Support (EoS) state from OEM
- Execute procurement to refresh component(s) entering into EoS
- Coordinate with operation team with outage window for component(s) refresh
- Manage access credential to the components
- Perform backup and recovery test of the component configuration
- Conduct vulnerability management to chase new version upgrade or patch deployment
- … And so on
Adding a firewall within a standalone system to regulate traffic of the components in between has no material enhancement on cybersecurity and is overkilled. Just like the seat belt, it is designed for human safety during transport but do we need this is an office environment??
A clear and precise organization policy shall set the correct directive. It is a matter if the policy writer has full understanding of the business environment, threat exploitation and competency.