How to optimize your security budget

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/research/2014/051214-how-to-optimize-your-security-281504.html?source=nww_rss

The good news is that security budgets are rising broadly. The bad news? So
are successful attacks. Perhaps that's why security budgets averaging $4.3
million this year represent a gain of 51% over the previous year and that
figure is nearly double the $2.2 million spent in 2010 all according to our
most recent Global Information Security Survey, conducted by
PricewaterhouseCoopers.

The question is, why? Why are security budgets rising but enterprises still
are not getting the results hoped? "Many organizations are infatuated with
buying the latest trendy thing, whether or not it makes the most sense for
their specific security posture," says Jay Leek, chief information security
officer at The Blackstone Group.

The 11th annual Global Information Security Survey of 9,600 executives also
found that the number of organizations reporting losses of greater than $10
million per incident is up 75 percentA from just two years ago. The costs
of these breaches also are rising, with data breaches up 9 percent in 2013
from 2012.

One thing is certain the organizations are not spending on the technologies
and capabilities best suited to help spot advanced attackers, such as
malware analysis with only 51% doing so, inspection of traffic leaving the
network (41%), rogue device scaling (34%), deep packet inspection (27%), or
threat modeling (21%).

With all of this in mind, how do you tell if that increase in budget you
received is being spent in the right areas?

The right staff

First up: make sure your team is well positioned when it comes to security
staff.

"Figuring out if you are you understaffed or overstaffed can be tricky,"
says John Pescatore, director, emerging security trends, at SANS Institute.
"If you have 10 firewalls, how many full-time equivalents does it take to
manage them? If you have three people taking care of 10 firewalls, you
either have really bad firewall managers or you should invest in a tool so
that one person can manage those 10 firewalls," he says.

One way to evaluate staffing is to look at how many full-time equivalents
are in the security program as a percentage of total IT positions. Another
is to compare your security/general IT staff ratio with that ratio within
your industry, and see how your security staffing stands in contrast to
your peers, says Pescatore. "That's a good indication. Be sure to take into
account how many full time equivalents may be in place through outsourcing
arrangements, such as firewall management and monitoring," he explains.

Understaffing of security professionals is likely to create a situation
where the organization will end up pushing unsecured projects into
production, unable to properly respond to incidents, or properly maintain a
healthy security program. This means that those who are there will be
constantly jumping from one emergency to the next.

And when it comes to security budget spending, at least in the next few
years, it would be wise to invest in people while organizations still can
find those who are qualified. According to a just-released study from IT
certifications provider (ISC)2, about 2.25 million information security
professionals were working worldwide last year. That figure is expected to
leap to 4.25 million in two years. And (ISC)2 expects that there could be a
47% shortage of security professionals qualified to fill those positions.

Our own "State of the CSO" in 2013 found that this demand for skilled IT
security professionals is already straining organizations' ability to
attract top security talent. It is the larger companies that are most
likely to increase their security resources, with 42 percent planning
staffing increases, compared to 37 percent of midsize and 26 percent of
small organizations. In fact, finding and retaining skilled IT security
workers was identified among the greatest challenges for 31 percent of
large companies.

Out with the old

Another way to maximize security budget is to make certain the budget is as
aligned with current security demands and applications as is possible. "We
see a lot of security shelfware out there," says Javvad Malik, security
analyst at The 451 Group. "In a recent survey we conducted, not a single
respondent said that they have a process in place to actually decommission
old IT security products."

Predictably, what ends up happening, year after year, is these enterprises
acquire new security applications but don't decommission those in place,
even though they're not in productive use. "They're scared that it might
impact something, or fear it's too embedded into their processes even
though they're not getting any value out of the application. They end up
with all of this bloat that's just hanging around and costing them money,"
he says. While it may sound obvious, it's something many enterprises aren't
doing: cull all of those security appliances and software apps that can be
decommissioned.

Avoid the shiny

Andy Ellis, chief security officer at Akamai Technologies, says it's
unfortunately all-too common for enterprises to buy security equipment that
they don't have the expertise on staff to maintain, or they fail to set
aside training budget. Before buying that SIEM, web application firewall,
or malware forensics analysis software, Ellis has a set of questions that
he says need to be answered.

- Did you have people who knew how to use the system?
- Were they able to apply themselves to installing, using, and maintaining,
the system?
- Did the system actually have effect?

While a negative answer would indicate an ill-thought purchase, an
affirmative answer doesn't mean that the budget was wisely deployed. "At
least you didn't just throw it away, but if you can't say "yes" to all
three of those questions, then you've wasted your money. How many SIEMs are
out there that don't actually do anything because there are no operators to
tune them," Ellis says.

Focus on the endgame

Blackstone's Leek argues that for years now, many enterprises have been too
spending heavily on defensive technologies and not enough on incident
response. "No matter how much you spend on defense, and how good you are at
defense, or how wise you are with your budget, there will be attacks that
get through. And not enough companies have been investing in their response
capabilities. As a result they have very little ability to respond when the
inevitable happens," he says.

With most enterprises spending a disproportionately low amount on response
compared to defense, putting a good chunk of that budget increase toward
response does sound like one of the best investments of all.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!