Home » Security Leadership » Metrics/Budgets

Security Spending: The Dutch Granny Bike Equation

When does it make sense to spend more on security than on the item being secured?

I recently moved to the Netherlands to accept a position as the CISO for a non-profit international organization. It rains quite a bit more here than in New Jersey, where I used to live, and when the people speak Dutch, they do so with a guttural cacophony that sounds as if they're winding up to expel a troublesome bit of phlegm. Those adjustments aside, information security here is pretty much the same. I mean, securing a Windows 2003 server on this side of the pond is no different than in the States.

But there are some glaring cultural differences between Americans and the Dutch, and here is where it gets interesting. Dutch society is extremely ecology-minded, and practically every Dutch man and woman rides a bicycle. Naturally, my inclination when I arrived here was, When in Holland, do as the Hollanders do. But not so fast.

The first advice I got was to not buy an expensive bike. Instead, I was told to buy a good Dutch grandma bike. You know, an upright one with pedal brakes and a bit of rust on the handlebars. No fancy gears, bike seats or racing wheelsthe closer one gets to the original caveman concept of the wheel, the better.

Then came part two of the advice: Invest more money in your bicycle lock than in the bicycle. Otherwise, the bike will be stolen. (I guess all that cheese and chocolate makes for sticky fingers.)

When I first heard this advice, I wondered if perhaps it wasn't the Dutch equivalent of a snipe hunt. I could just see myself rolling out my rickety, old grandma bike and being caught up in a maelstrom of biking Dutchmen. Lance Armstrong look-alikes would whiz past whilst I navigated my wobbly (but highly protected) bike down the the bike lane. Small children would point and laugh, and bullies would heave rotting fruit in my direction. Surely I would be the laughingstock of this bicycle-fanatic nation.

Such was not the case. The Dutch are a serious people, and they are at their most serious when it comes to bike riding. Buy a cheap bike and an expensive lock, everyone said. My security sense began to tingle.

The Cardinal Rule of Security

We've all heard this basic tenet of security: Don't spend more money protecting something than the something is actually worth. Would you, for example, pay $15,000 for guards to protect a diamond that was worth only $10,000? Couldn't you just accept it if the damn thing got stolen and save yourself some money?