Where do we spend the money?

I was involved in a debate today where three opposing views were being taken with regards to implementing a hypothetical new online application. Given a limited budget, should most of the money be directed towards network, application or data security?

Personally I believe that a more holistic view of the situation is required. We need to understand the way the organisation works, the cultures, the regulatory environment and so on. Not to mention physical security, security awareness, training and a myraid of other factors.

When looking at new systems I prefer to work out a set of security requirements based on the risks rather than breaking things down into technical categories.we need to consider the risks, describe the controls that work to mitigate them, and then consider the degree of affinity towards the risk that each of those controls has.

Once we’ve considered which controls are most effective – and what we might presently have lacking – then we can describe the security requirements and where we’re going to spend the money.