“Enough”
During the “lost decade” of my “20’s” I had a LOT of different jobs. PC repair, high school wrestling coach, security guard, and a lot of “student” time in general.
The (pre 9/11) “security guard” time was nice because I was usually left alone all night. I was there to be visible and act as a deterrent – not perform heroic acts – which since I was looking for a paycheck and not an adrenaline rush was exactly what I wanted.
Of course there are also “private security personnel” that are highly trained professionals. Obviously the “highly trained professional” is going to demand a larger paycheck than the employee that did the “1 day orientation/computer training.”
From an “organizational” point of view – security is similar to “insurance.” Both deal with “risk management” – as in “you can’t eliminate ‘risks’ but you can minimize your vulnerability/exposure”.
SO the best practice with security and insurance is to have “enough” to cover you needs.
“Sales”
Then the question becomes “just how much is enough?”
Have you seen the commercials for “home security system” where a masked intruder breaks a window (in what looks like a nice suburban home) in the middle of the day?
Then cut to a frightened child and woman clutching each other in a state of panic – followed by the phone ringing and a reassuring voice saying “We have detected a break in at your premises. Authorities have been notified. Do you require assistance?”
The relieved/grateful woman picks up the phone and says something like “Thank you security system! I don’t know what we would have done without you.” — and then you get the sales pitch from the security monitoring company (e.g. for less than $ a day you can protect your family…)
Now, I’m not dismissing the need for/utility of these systems – I’m pointing out that the scenario used is “unlikely” at best and designed to manipulate your emotions. After all – can you put a price on “protecting your family?”
On a less emotionally charged front – the answer to “can you put a price on the security of your business” is “yes.” In a nutshell – you don’t want to pay more for security than the value of the object being secured.
SO that storage facility housing spare parts for your “commodity widget” making factory PROBABLY doesn’t need as much security as the distribution center that processes orders from customers for your “commodity widget.”
Now that sales person working on commission might try to convince the “commodity widget maker upper management” that they need the top end security everywhere – and maybe they do – but obviously the “sales person” is biased.
SO when the widget making enterprise gets past a certain size – they will probably hire a “director of security” or something to evaluate the needs of the company.
“Cyber”
That same process/concept applies to “computer network security.” Q. How much “cyber security” do you need? A. “enough”
As a long time “I.T. professional” my view of “cyber security” is that it is a marketing term. Obviously I am NOT saying that “computer network security” is irrelevant – just that “good system administration” has ALWAYS included “network security.”
Consider “automobile security” – how much should someone spend to “secure” their car?
Well, if you have a beat up Ford Pinto with 500,000 miles on it that starts shaking if you go over 65 miles per hour and you only keep to haul garbage to the landfill – then maybe you are comfortable leaving the keys on the dashboard with the windows rolled down. If someone steals the car they might be doing you a favor.
BUT if you have “new luxury SUV” you might invest in a car alarm, and some form of remote monitoring. If you live in “big city” you might pay for “off street” parking. In any case you certainly aren’t leaving the keys on the dashboard with the windows rolled down.
Getting back to “computer network security” – MOST networks probably fall into the “nice four door sedan” category. They need to be secured – and they will be compromised if left un-secured – but they aren’t a specific target.
e.g. roll up the windows, lock the doors, don’t leave valuables in plain sight – and your “family sedan” is probably secure enough. Adhere to “good system administration practices” and your computer network is “probably” secure enough.
I also like the idea of a Magnificent Seven approach to security – NOT that you need to hire hackers to protect yourself from hackers, but that you need to secure your network enough to make the “casual attacker” go somewhere else.
IF someone is intentionally targeting your network AND they are willing to spend money and time THEN they will probably be able to compromise your network. Your goals should be to not “make it easy” for them and also to detect and respond to the intrusion when it happens.
For individuals your small home network probably is more valuable to the bad actors as a resource for “zombie”/spam activity – but still, don’t make it easy on them.
If you REALLY want to worry about something – more important than the network itself is the data moving on that network – so the biggest threat to the “average network” is the people using the network. Which is a slightly different subject …
TL;DR
Yes, there are needs for “security specific” computer professionals – things like penetration testing and security auditing come immediately to mind. The concept of a security “baked in“/first approach to application development is also obvious. I’m just tired of hearing “cyber security” presented as something new and novel …
e.g. A combination of good backups, sensible user management, and applying encryption to both file storage and network traffic probably protects 90% of “computer networks”