When it comes to security, it’s planning and execution – not the size of the budget – that matter.
With the U.S. economy showing the barest signs of recovering from the recession, the consensus among economists is for a very flat recovery to continue through 2011. For IT security staff, that means tight IT budgets and flat spending, at best.
So how do businesses get the most out of security budgets that are already strained? Threatpost asked a handful of industry experts and IT security leaders for their advice on stretching the IT security dollar in 2011 and beyond. Here’s what they told us:
Understand Your Risk, Then Secure What Matters
The first place to start is with the most pressing risks first, says Herb Mattord, assistant professor of information security and assurance, Kennesaw State University in Georgia and co-author of The Principles of Information Security, Fourth Edition to be published in January of 2011 by Course Technology. “Its risk management and it is the only reliable way to make sure that we are addressing the highest impact threats instead of wasting our scarce resources on less critical issues,” he says.
How do businesses know which areas to start with first? Alex Hutton, principal, risk and intelligence for Verizon’s business RISK team, says the data from the latest Verizon Data Breach Investigations Report is an ideal place to turn for guidance. “The Verizon data show that default and easily guessable credentials and basic Web application security are enormous causes of pain. So, if these risk factors apply to an organization, they can start with low-hanging fruit right there,” Hutton says.
Scott Crawford, managing research director for analyst firm Enterprise Management Associates, agrees. “Organizations would get more from their budget by focusing where industry is experiencing the most failures, such as establishing minimum password management and having basic configuration and change management in place,” he says. “Companies should look first at these basics and invest in any weaknesses they find.” Firms that invest in change management and strong operational security experience fewer data breaches and less downtime from them, he said.
Create, And Then Enforce Sound Security Policies
Experts agree that creating sound security policies and then actually enforcing them should be a top priority.
“When done properly, policy offers the best bang for the buck of any control strategy, and is the only control option for some organizations. Policy offers the ability to influence human behavior, and even when we use technical or other managerial controls, policy must be in place for any control to be sustainable over the long term,” says Mattord. “Of course, developing effective security policy is not a trivial exercise; it is essential to set the stage for controls that are effective and efficient and get the desired results within the available budget.”
Build, And Then Automate Good Processes
Another way to stretch your IT security dollar is by automating key IT security processes. These include vulnerability management, password changes, and security event management, our experts agreed.
But automation as a way to reduce headcount and increase efficiency can sometimes run counter to the security interests of your organization. Companies have to continue to invest in the employees whose job it is to carry out and adhere to IT security policies.
“A big mistake is to ignore training,” says Hutton. “For every three or four companies that claim that DLP, IPS, or SEIM is a waste of money, there’s one organization getting value out of it because it invested in the talent to operate those technologies well.”
Embrace New Technologies
Finally, firms need to continue to look to the future, rather than trying to solve tomorrow’s problems with yesterday’s products. One contemporary example is virtualization technology. Server virtualization is already a staple of most modern data centers. Crawford of Enterprise Management Associates says that desktop virtualization is an emerging enterprise technology that could reduce long-term operational costs and improve security.
“Desktop virtualization offers the ability to both contain threats and harden endpoints from attack,” he says. “VDI (the Virtual Desktop Infrastructure) makes it possible to run the desktop from the data center, which enables more control over configuration and settings in the hands of a centralized IT team.”