Security Manager's Journal: At budget time, you ask and hope to receive
Our manager has a long wish list as the annual budget time rolls around once again.
Computerworld - It's budget time again, which is a good chance to assess our information security defenses and decide which areas we can best afford to beef up. Here's a look at what I think we'll be able to add this year.
First, I want to increase our investment in security incident and event management. SIEM has been a great investment thus far, helping us thwart attacks and identify other malicious activity that could have resulted in the loss of sensitive data, unauthorized access or a denial-of-service attack on our network. I can point to a lot of things that justify further investment. My plan is to expand our license and add more network sensors to remote offices. The return on those investments will be that more data will be correlated with additional log and netflow feeds from network and server resources.
Next, I want to upgrade the security assessment tools that automatically scan our DMZ infrastructure on a weekly basis, as well as satisfy our regular audit and assessment schedule of internal apps and infrastructure. Our current tools, though fairly effective, lack some of the rich functionality that Qualys, nCircle and Rapid 7 offer. Any of those would give us a more robust, centralized management console, integration with other tools and better reporting options. The productivity gains that these products would make possible are a selling point; the tool we end up choosing should pay for itself in short order just in the area of collecting security compliance data each quarter.
Then there's data leak prevention (DLP). When we implemented DLP earlier this year, our budget didn't allow for any decryption infrastructure. A main feature of DLP is that it can detect documents being sent via Web-based apps such as webmail and personal storage sites, but we need to decrypt the SSL traffic before our DLP tool can inspect the data. In addition, we recently migrated our Exchange deployment to Microsoft's Office 365 cloud offering, so now even our corporate email is encrypted. All of that means we need to buy proxy appliances and then send all our Web traffic to them for decrypting ahead of going to the DLP engine for inspection. We'll be looking at either Cisco or Bluecoat to satisfy this need.
Another area that we need to address is protection against advanced persistent and zero-day threats. We're on schedule with a proof-of-concept of FireEye, as we seek to understand the value of this type of investment. If the pilot is successful, our plan is to buy a few appliances for our larger offices, but complete enterprise coverage would require an appliance at each of our more than 40 remote offices. If FireEye doesn't fit the bill, we'll look at other technologies, including WildFire, which is already bundled with our Palo Alto Network Firewalls.
Each quarter, I spend about $30,000 for outside firms to conduct penetration testing and give us an independent viewpoint. One recent penetration test of our IP telephony infrastructure identified several critical configuration issues. I would like to double that budget line in 2013, mostly because we are expanding our use of cloud technologies and will need more assessments to keep up.
As for staff, I'll have a harder time. I'm fortunate in being allowed to fill an open position for a security analyst, but I could always use more people. The good news there is that my company just announced a summer internship program. At nominal cost, I can hire a college intern for the summer. I'll be asking for two.
All in all, I know I'm pretty lucky. Not every security manager can ask for so much and have a reasonable expectation of getting it. Still, our security spending remains small, both as a percentage of the overall IT budget and in terms of security spending per employee.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security! computerworld.com/blogs/security
More by Mathias Thurman
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts