/Ted%20Harrington/Ted%20Harrington%20Thumbnails/Goldilocks.png)
Security investment isn't about spending as much as possible – or as little as you can get away with. According to cybersecurity expert Ted Harrington, it's about finding that "just right" balance, much like the classic children's tale of Goldilocks.
"There is an amount of investing that is too little, and there's an amount that's too much, and there's an amount that's just right," explains Harrington. This relationship can be visualized as an S-curve, where the relationship between investment and returns isn't linear but follows a more nuanced pattern.
When organizations invest too little in security, they often fall into a dangerous trap. They're spending money, but not getting meaningful returns. It's like checking a box without actually achieving anything substantial. Harrington argues that in these cases, it might be better to do nothing at all rather than create a false sense of security.
On the flip side, there is such a thing as over-investing. This happens when companies reach a point of diminishing returns, continuing to invest in finding vulnerabilities that simply don't exist anymore. However, Harrington notes that this is rarely the actual problem – "almost everyone never reaches that. Pretty much everyone lives in then they're under investing."
So how do you know when you've hit the sweet spot? Harrington suggests looking at concrete metrics over time. For example, if you're conducting regular security testing every quarter or six months, and you see the number of new vulnerabilities consistently diminishing over several years until you're finding very few issues, you might have reached the optimal investment level.
But there's an important caveat. This pattern can be easily confused with underinvestment. Some companies spend too little on security testing, find no issues, and incorrectly conclude they're secure. Harrington likens this to someone who never goes to the doctor and claims they have no health issues – when in reality, they might have very visible problems that any doctor would immediately spot.
The key is finding that inflection point where your security investment delivers meaningful returns without crossing into the realm of diminishing value. This balance point will be different for every organization, but the principle remains the same: invest enough to achieve real security outcomes, but not so much that additional spending yields minimal benefits.
Want to learn more about optimizing your security investment strategy? Join Ted Harrington at the upcoming e360 Executive Roundtable in Los Angeles on March 13, where he'll be sharing more insights on navigating modern security challenges.
Want to learn more about applying the hacker mindset to security challenges? Join Ted Harrington at the upcoming e360 Executive Roundtable: AI Security event in Los Angeles on March 13, 2025, where he'll share more insights on innovative approaches to security.
