Shrinking Budgets Tie Hands of Security Pros 63
An anonymous reader writes "RSA Conference released the results of a recent survey of security professionals regarding the critical security threats and infrastructure issues they currently face, including those exacerbated by the current economic climate. The study indicates that even though practitioners are most concerned about email phishing and securing mobile devices, technologies addressing these needs are at risk of being cut from IT budgets. The survey also asked what technology investments will likely be bypassed or curtailed due to spending freezes and budget cuts."
Budget has always been a problem (Score:5, Insightful)
The sad truth is, at most companies management sees security is an unnecessary cost that they reluctantly tolerate because of SOX and industry regulations like PCI-DSS. They are quick to point out that security does not earn profits (and forget that it actually protects the profits). So the CEO tells the CIO to trim his budget, and given the choice of keeping the servers functioning or users getting phished, the CIO opts for more pressing need. (at 99% of the places, the security function reports to the CIO or CTO but that is for another bitching session)
Then of course something goes wrong, and the security person gets yelled at because s/he did not do his job. So then the coffers open, and the company spends a ton of money that could have been fixed for less at the right time (TJX breach).
The solution lies with security pros: they need to frame their budget requests as business cases: if we do X, we will protect $Y of revenue (Point out that a data breach at company ABC cost them $ZZ). And if management does not fund the budget, have them formally, in writing, accept the risk.
And always keep your resume updated
bullshit (Score:4, Insightful)
It's just that companies would rather buy something than use their highly-skilled security staff. Or maybe their security staff isn't so skilled, and that's why they require the expense of ridiculously expensive canned security software, vs. designing an infrastructure that makes sense and using the best of breed tools for the job mixing open source, in-house, and commercial stuff.
Re:Can't budget for human stupidity (Score:5, Insightful)
If the grandparent's organization is anything like mine, the issue isn't the lack of technical solutions for locking down computers. It's the unwillingness of managers to put their neck on the line and sign off on suggestions like this.
Cheaper than the alternative . . . (Score:5, Insightful)
Other commenters may argue that security is not something that companies can "buy," and they're right, to a point. Expensive proprietary firewalls are, in my experience, no better (and sometimes far worse) than a properly configured linux box. But companies do have to "buy" security in the sense that they need to budget time to ensure that systems are properly configured. I can set up a linux firewall in a matter of minutes, but to do it properly (especially when it must allow VPN, SSH, access to multiple databases, limited FTP, etc.) it takes much more time.
If companies realize how much their data is (are?) worth, they should also consider what's at stake if it's stolen or misused. Security doesn't have to be the primary investment for most companies, but it must be a high priority. If it's not, eventually bad things will happen.
Re:simple things can be done... (Score:5, Insightful)
We all love honeypots and whatnot, but those things need to come well after patching, configuration management, removing/pruning user administrative permissions, and controlling which software you allow, and strong authentication enforcement. This doesn't have to cost a lot of money.
Actually, doing all of these things does cost money - you need to have someone hired on that can do all of these things, and you have to pay them a salary.
In the long term, it's not a lot of money. But short term thinking appears to be taking over in this economy. Especially if there's no immediate threat deemed by Management in not having basic safeguards in place.
Re:budget? (Score:2, Insightful)
Re:budget? (Score:4, Insightful)
Depends on how you see it. Users are dumb, so if you spend your money to train your staff and make them just a tiny bit smarter, then your investment is worth it.
On the other hand, if you search for a purely technical solution, you are borne to fail, there I agree with you.
Sadly management often does not have the foggiest idea on how to allocate resources in a smart way in this area, so I don't expect the situation to improve any-time soon.
Re:Security professionals are like managers (Score:3, Insightful)
First, you are assuming that the security pro actually gets an opportunity to explain the risks. You'd be surprised how rare that is.
Next: if you do a great job and nothing happens, management actually starts wondering why a security person or department is needed. Lastly, and most importantly as the grand-parent pointed out:
- the dollars are finite.
- if there is an order to cut budget, do you think it will be [a] lay off the windows guy, or [b] lay off the security guy and have the windows guy do some of the security work?
If you pick [a], you don't know how security is viewed by management
Re:Can't budget for human stupidity (Score:3, Insightful)
Parnoid and smart ?? Or Just Paranoid?.
Many IT-departments implement mandatory password changes and antivirus
Also common is various filter programs
Automated PW changes are actually counterproductive according to several studies as it makes the selected passwords more predictable. Better to educate users as to what is a good PW
Antivirus is a good thing and should be in place if you use windows
Filters DOES NOT WORK. At least not as intended.
The only thing that works in the long run is education. And harsh punishment :-)
Re:Can't budget for human stupidity (Score:1, Insightful)
I'm sorry but switching browsers does NOT suddenly allow you to circumvent your proxy server. So no, users are not using Firefox to "visit sites" that they couldn't using IE. That's not what browsers do. This is technology 101. This sounds like someone who doesn't know what they were talking about, posting something they 'heard' from another end user.
Re:Can't budget for human stupidity (Score:3, Insightful)
Companies need their employees to take on the risk of trying new applications and web sites without constantly asking for permission. It's a big driver of growth and advancement. For that they are willing to expose themselves to some small risk.
Re:IT Budgets == Bloated (Score:3, Insightful)
The trick is finding a security professional who knows this, and is able find the security tools that turn the company's policy, their security needs, and budget into implementable technology. A company can buy every single product sold in SC Magazine and the CISSP magazines. It won't do them much good because even the best security product will not give much protection if not implemented right.
For example, take a high grade HSM (hardware security module). If the admins of it allow everyone and their brother access to the signing key stored on it, or had the key flagged to be exported in an insecure manner, the security that the device provides is minimal.
Communication is key here. The reason why a security professional is a professional is that they have to have the knowledge to take what the client needs, their budget, the regulations the client is operating under, and the contracts of the client's customers and vendors. He or she needs to take that information and do two things: Buy the equipment, and configure it correctly. It's not just knowing all the technical stuff, but knowing how the company functions to put in a complete system that impacts productivity as minimal as possible, but yet provide protection against both known threats and unknown threats (zero days, unexpected threat vectors like compromised printers, etc.)
If there is a limited budget, a security pro has to get with the corporate officers and figure out where most likely attacks will come from. For example, a nontechnical call center has a high threat of physical theft of equipment, so they would be going with physical security, CCTV, enterprise systems to detect case intrusion events, and perhaps some form of encryption on all machines so if a machine or hard disk is stolen, licensed software and CD keys are protected. A credit card processor would be more concerned about network and perhaps social engineering attacks (although physical is still a concern).
Re:Can't budget for human stupidity (Score:1, Insightful)
Boot level encryption, antivirus software, and "agents" are in themselves not bad. However, misconfigured they can become a nuisance to employees and kill productivity.
Boot level encryption is a must for laptops these days. No company wants to have a front page headline of "unsecured laptop stolen, thieves grab $BIGNUM of users' personal data and put it for sale on the black market." Get a laptop with a TPM chip, and boot level encrypt doesn't even have to ask for a passphrase, as PGP, BitLocker, and a number of other FDE programs support that functionality. Even desktops, it provides mitigation against data theft against people filching machines or yanking hard disks.
Antivirus software is also a must. Even if it detects nothing, its mere presence on machines fulfills a lot of contract obligations.
Finally "agents" can be used for a number of things. In a large company, most PCs need to have some type of software like this for audit trails and intrusion detection. One can even use some programs like LoJack to ensure that data is remotely wiped if a machine is stolen.
Re:Security professionals are like managers (Score:3, Insightful)
Re:I've seen this cycle before (Score:4, Insightful)
In a recession, security is the last thing a business should cut.
The unemployment rate is high. This means that people who wouldn't think of things in normal times would turn to other means to supplement their income to keep a roof over their family's heads. So, someone who would normally give the finger to someone overseas asking for brief use of a username/password for $500 would happily give it in these times in order to keep the repo man away for another month.
More criminal organizations (domestic and overseas) realize there are profits to be made in capturing data stolen laptops for not just hardware, but the data on the machine. The data can be sold, or used to blackmail or extortion.
Employees are more likely to be disgruntled due to layoffs and cutbacks. So, vandalism and outright internal theft is on the rise.
There are a lot more regulations than before that make companies face shareholder lawsuits and corporate officers face prison time should a major breach occurs and a breach in process found.
Software CD keys are worth money, and a divulged volume CD key can force a company to re-buy every single license of a product as per EULA stipulations.
Outside attacks are more and more sophisticated as time goes on. To use an auto analogy, car companies are not using the same disc cylinder used on autos in the 1950s; they have moved to sidewinder cuts and "laser cut" keys. Same with security. A company has to keep abreast of new threats as a matter of life, just as CCTV cameras and bump-resistant locks on the doors are now the standard.
Re:Budget has always been a problem (Score:3, Insightful)