Security Manager's Journal: At budget time, you ask and hope to receive

Our manager has a long wish list as the annual budget time rolls around once again.

It's budget time again, which is a good chance to assess our information security defenses and decide which areas we can best afford to beef up. Here's a look at what I think we'll be able to add this year.

Trouble Ticket

It's time to make the case for funding in the 2013 budget. Action plan: Prioritize the company's security needs, and have justifications at the ready.

First, I want to increase our investment in security incident and event management. SIEM has been a great investment thus far, helping us thwart attacks and identify other malicious activity that could have resulted in the loss of sensitive data, unauthorized access or a denial-of-service attack on our network. I can point to a lot of things that justify further investment. My plan is to expand our license and add more network sensors to remote offices. The return on those investments will be that more data will be correlated with additional log and netflow feeds from network and server resources.

Next, I want to upgrade the security assessment tools that automatically scan our DMZ infrastructure on a weekly basis, as well as satisfy our regular audit and assessment schedule of internal apps and infrastructure. Our current tools, though fairly effective, lack some of the rich functionality that Qualys, nCircle and Rapid 7 offer. Any of those would give us a more robust, centralized management console, integration with other tools and better reporting options. The productivity gains that these products would make possible are a selling point; the tool we end up choosing should pay for itself in short order just in the area of collecting security compliance data each quarter.

Then there's data leak prevention (DLP). When we implemented DLP earlier this year, our budget didn't allow for any decryption infrastructure. A main feature of DLP is that it can detect documents being sent via Web-based apps such as webmail and personal storage sites, but we need to decrypt the SSL traffic before our DLP tool can inspect the data. In addition, we recently migrated our Exchange deployment to Microsoft's Office 365 cloud offering, so now even our corporate email is encrypted. All of that means we need to buy proxy appliances and then send all our Web traffic to them for decrypting ahead of going to the DLP engine for inspection. We'll be looking at either Cisco or Bluecoat to satisfy this need.

Another area that we need to address is protection against advanced persistent and zero-day threats. We're on schedule with a proof-of-concept of FireEye, as we seek to understand the value of this type of investment. If the pilot is successful, our plan is to buy a few appliances for our larger offices, but complete enterprise coverage would require an appliance at each of our more than 40 remote offices. If FireEye doesn't fit the bill, we'll look at other technologies, including WildFire, which is already bundled with our Palo Alto Network Firewalls.

Each quarter, I spend about $30,000 for outside firms to conduct penetration testing and give us an independent viewpoint. One recent penetration test of our IP telephony infrastructure identified several critical configuration issues. I would like to double that budget line in 2013, mostly because we are expanding our use of cloud technologies and will need more assessments to keep up.

As for staff, I'll have a harder time. I'm fortunate in being allowed to fill an open position for a security analyst, but I could always use more people. The good news there is that my company just announced a summer internship program. At nominal cost, I can hire a college intern for the summer. I'll be asking for two.

All in all, I know I'm pretty lucky. Not every security manager can ask for so much and have a reasonable expectation of getting it. Still, our security spending remains small, both as a percentage of the overall IT budget and in terms of security spending per employee.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join in the discussions about security!

Read more about security in Computerworld's Security Topic Center.

Copyright © 2012 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon