Slashdot Mirror
Shrinking Budgets Tie Hands of Security Pros
An anonymous reader writes "RSA Conference released the results of a recent survey of security professionals regarding the critical security threats and infrastructure issues they currently face, including those exacerbated by the current economic climate. The study indicates that even though practitioners are most concerned about email phishing and securing mobile devices, technologies addressing these needs are at risk of being cut from IT budgets. The survey also asked what technology investments will likely be bypassed or curtailed due to spending freezes and budget cuts."
We could start by removing the damn RSA servers from our budget for one thing!
But seriously now, it looks like I will have to cut in half my order of bullets for the double miniguns we have mounted outside our office building.
The survey is reporting something that every single security professional that has managed a budged had known for a long time, even before the recession (except may be the preriod around Y2K)
:-)
The sad truth is, at most companies management sees security is an unnecessary cost that they reluctantly tolerate because of SOX and industry regulations like PCI-DSS. They are quick to point out that security does not earn profits (and forget that it actually protects the profits). So the CEO tells the CIO to trim his budget, and given the choice of keeping the servers functioning or users getting phished, the CIO opts for more pressing need. (at 99% of the places, the security function reports to the CIO or CTO but that is for another bitching session)
Then of course something goes wrong, and the security person gets yelled at because s/he did not do his job. So then the coffers open, and the company spends a ton of money that could have been fixed for less at the right time (TJX breach).
The solution lies with security pros: they need to frame their budget requests as business cases: if we do X, we will protect $Y of revenue (Point out that a data breach at company ABC cost them $ZZ). And if management does not fund the budget, have them formally, in writing, accept the risk.
And always keep your resume updated
When the budget cut has gone far enough to strip down all security, certificates expires, competence leaves ship and nobody really knows how it works anymore. Then the cybercriminals enters the systems and use them for their purposes.
And management sits there looking completely confused because they have cut down on the people knowing how to do security.
Especially bad is it if it's about having a system that handles large amounts of economic transactions and are storing credit card and personal information about a lot of people.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
People always seem to think Security is something you can BUY. You can't really 'purchase' security, all you can do is implement policies, and select tools to assist in creating and implementing those policies.
Most of these tools are free [is in beer AND speech].
One can create a secure organization with very little money.
There are a lot of unnecessary IT "expenses", like the latest BS convention ie: VoiceCon, InterOP, etc. Trim the fat from IT, and people will see what can be done for very little money.
We have a very paranoid security department where I work. On top of boot-level encryption, mandatory anti-virus software, various "agents" that try to predict whether or not you would in fact allow some strange program to do what it wants to do, system monitors that make sure everything is up to date and as it should be before you connect to the network, proxies that ban websites with harmful keywords and annoying pop-ups caused by blocking Active-X components, we still get several people throughout the week who report virus infections on their work PCs.
We have people who install Firefox to get around the IE settings so they can visit sites that they know are not permitted. We have people who browse torrent sites and adult sites and are "shocked" when we show them the links in the history. We've had people who blatantly admit "Yeah, I let my kids play on my company issued PC and they find ways around that stuff."
Maybe that's why the security budgets get cut. You can only secure so much until you secure it by locking out the user entirely.
Those who believe the Internet is private,
find their privates are on the Internet.
It's just that companies would rather buy something than use their highly-skilled security staff. Or maybe their security staff isn't so skilled, and that's why they require the expense of ridiculously expensive canned security software, vs. designing an infrastructure that makes sense and using the best of breed tools for the job mixing open source, in-house, and commercial stuff.
I have seen a lot of places that insist on buying a "solution" to the problem, when in fact the solution barely touches the problem. it works around a lot of things, but never really hits right on it. So you've spent a lot of money on something that doesn't really do the job of a person in that role.
The funny part about security is that for all it's sex appeal, real security is actually pretty boring. Oh the hotness of configuration management using tools that are already available on the windows or linux box. How your endorphins get moving at the sight of a patched on patch day. Or the sheer porn of being able to look at your log files and know that all is good.
We all love honeypots and whatnot, but those things need to come well after patching, configuration management, removing/pruning user administrative permissions, and controlling which software you allow, and strong authentication enforcement. This doesn't have to cost a lot of money.
-- Who is the bigger fool? The fool or the fool who follows him? --
The study indicates that even though practitioners are most concerned about email phishing and securing mobile devices, technologies addressing these needs are at risk of being cut from IT budgets.
A fat budget won't help you buy what you need to fix this problem: Smarter users.
#fuckbeta #iamslashdot #dicemustdie
This article isn't particularly informative, especially in regards to areas where spending will be reduced. This isn't a very effective way to assess the state of security -- to do that it must be within the context of the industry/business, and preferably to IT in general. If budgets are generally being cut by 20%, then the fact that security is doing that is nothing special. Further, budget is only part of the picture: institutional priorities are also very important. How is the allocation of staff time changing? What kind of changes are going on in terms of institutional strategic planning?
I'm fortunate to manage an IT department at a company that values security. We do routine audits and pen test our own systems -- occasionally we find a hole, and we fill it. I've never been pressured to skimp on security.
Other commenters may argue that security is not something that companies can "buy," and they're right, to a point. Expensive proprietary firewalls are, in my experience, no better (and sometimes far worse) than a properly configured linux box. But companies do have to "buy" security in the sense that they need to budget time to ensure that systems are properly configured. I can set up a linux firewall in a matter of minutes, but to do it properly (especially when it must allow VPN, SSH, access to multiple databases, limited FTP, etc.) it takes much more time.
If companies realize how much their data is (are?) worth, they should also consider what's at stake if it's stolen or misused. Security doesn't have to be the primary investment for most companies, but it must be a high priority. If it's not, eventually bad things will happen.
Facts have a liberal bias.
But well, if scenes you described do happen, the security professional wasn't good enough at what he does.
The job isn't only to find out what security risks are. He needs to analyze them: How likely the risk is, how expensive it is to fix, what is the worst thing that happens if it doesn't get fixed. If those analysis are accurate and important and the expert has any authority, he should be able to convince any management to look into the matter or at least make educated decision not to fix it.
If a teacher says that the children just won't understand something, in most cases there is some fault in the teacher and her methods too. If a security expert says that the manager just doesn't understand something, there is usually some fault in the expert too. It is his job to make sure that the manager understands the subject and he can do it if he is given any credibility. If he isn't, he either has already messed up or the company never cared about the subject in the first place.
I'm not saying that the problem is always in the expert. But experts (=people whose responsibility is to explain something to people who don't understand it) often go to the "They just don't listen/understand" very easily.
It is not expert's job to understand something. Nobody else benefits from that knowledge. His job is to make sure others understand the issue.
I wanted to get back to contracting and do some more security work, because I miss it.
I was stunned by the fact that so many companies are now not looking for professionals with low-level experience, like before, but rather for people who have experience in paperwork. ITIL, ISO xxxxx, bla, bla, bla.
It's as if people are not actually DOING security anymore, but are just writing and debating about it.
No wonder they have budget issues, when they don't know what they're doing, so they need to spend lots of money to cover it.
Deja vu.
In June of this year, my employers had a major business continuity scenario - an electrical fault with the UPS took out a lot of desktops, several servers and most of our network connectivity on one phase. This was at 6PM on a Friday. Not only is it incredibly hard to get your standard suppliers to ship any replacement gear for the following day on a weekend, its incredibly hard to actually get to talk to anyone! Now, I only recently took over the infrastructure management role, and one of my first goals was to put into place a proper Business Continuity plan. We have alternative premises with a major continuity provider on contract, but we have no plan and our actual capacity requirement now far exceeds what it was when the original alternative premises arrangement was put in place.
When this event happened, we were in a very touch and go situation - we did not know if we could recover the business for opening on Monday. And we are extremely IT reliant!
To cut a long story short - through putting in a lot of extra hours that weekend, and a lot of travelling to various IT shops within a 50 mile radius, we managed to get the business back to the point where we could open on the Monday without visible issue.
When that event happened, my BCM plan had been on the desks of the company leadership for a month. After that event, it got bumped up to the next board meeting. And at that board meeting, the entire plan was indefinitely postponed due to funding. No intermediate plan was asked for, no alternative. The plan had several different levels of expenditure to choose from, and they ignored all of them.
Barely one month after a 'can we continue to run the business' situation, the board rejected the plan which would have made that situation a non-issue, even at the cheapest option.
I now have several interviews elsewhere. The sooner I can get out of here, the better.
Posted anonymously for obvious reasons.
No one has enough money in the budget for security, until a break-in nearly disables them. What are the chances? (Fire your security staff, and find out!)
Similarly, making copies of Windows to deploy on your business floor and ask "what are the chances?" and you'll find out. *I*didn't*call*, but a year or so after I left, I was told the company trying to get ME to pirate Microsoft Windows 98 got a visit from the BSA. And as you all know, they don't leave without a fire alarm being pulled or a $100,000 check.
When the budget thins, you cut extras; security isn't an extra. Though, putting Ubuntu on your Windows boxes will save you some real cash. And help security.
--- For a good time mail uce@ftc.gov
cheaper and faster.
Single signon.
Automated OS updates.
Proxied web access.
Centralised system logging.
Sync'd backups.
All make life easier for users and administrators.
So often though, security just seems to get in the way.
At least it has been for several decades. The current economy has just made that worse. People are worried that if you have a bad quarter your stock will go in the toilet and kill your company. However, the flip side is getting earnings as best as possible from quarter to quarter, without regard to the fact that if you invest a little more now, you might get a huge windfall 3 years from now.
Security for companies is the same as security for that poor family in the inner city. It would be nice to have a security system to protect them, but there is just no money to spend on it.
"All great wisdom is contained in .signature files"
Everyone knows that computer security is provided by AntiBaddness software that magically cleans all badness from your computers. Money is much better spent on applications that look pretty.
Having to work for a living is the root of all evil.
Infosec has jumped the shark.
- There are too many nitwits in the community. So much money has been wasted on the posers.
- Premium capital for "the best protection" (which is still vulnerable) vs. moderate capitol and common sense (which is still vulnerable). The latter wins in this economy.
- Don't play the TJX card, either... their stock went up, their customers numbers have risen; no one cares about that breach (or no one cares thats been LOUD enough). If the bottom line wasn't really affected that much over that breach and exposure, its simple to understand why bean-counters moderate infosec purchases in the name of profit.
- the biggest problem is the users. And nothing infosec does will stop stupid people from being stupid.
Its difficult to counter the above perceptions, regardless if the perception is right or wrong. I don't think it will get much easier to counter those perceptions.
"Though, putting Ubuntu on your Windows boxes will save you some real cash. And help security." - by WheelDweller (108946) on Monday July 27, @10:38AM (#28837021)
You're trying to make it sound as if "Linux is the 'holy grail of security'", & it's not (because the link below shows, it is clearly, not - not how it is setup, by default, & Bert64, a user here, illustrated that plainly enough, because I used HIS results on Linux in fact, in said guide below)
So - that all "said & aside"? Well... no OS is perfectly "security-hardened", @ least "as is", from the oem & as they are shipped to BOTH typical "end users" OR corporate bodies... period!
(Which is WHY you all have to ask yourselves "Why has MS shipped the United States Military 'security-hardened' versions of its Windows OS', & not the rest of us?", because MS HAS, 2x now that I am aware of @ least, in 2004, & recently again, THIS YEAR...)
Want THAT kind of security on a Windows rig? It's doable, & QUITE EASILY, via a good tool that guides folks for it, via a checklist of "industry best practices", & 1 that makes it as simple as running a PC benchmark for performance gauging really, per this:
----
HOW TO SECURE Windows 2000/XP/Server 2003, & yes, even VISTA (& it's descendants), + make it "fun-to-do", via CIS Tool Guidance (& beyond):
http://www.tcmagazine.com/forums/index.php?s=aeba48c4aeccd4a426f664b5db5574e8&showtopic=2662
----
Results? Ok:
http://www.xtremepccentral.com/forums/showthread.php?s=b38271cfc7ef82deafc78e2e2ef23a0f&t=28430&page=3
----
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" THRONKA user @ xtremepccentral.com
----
All with MOSTLY "native tools" already in your OS', or webbrowsers (the MAIN 'disease vector', via javascript especially (THIS NEEDS REVISION THE MOST, where is that EMCA script already, in other words?))... &, some 'good practices' to adopt, on the part of end users, which CAN make ALL THE DIFFERENCE, period.
APK
P.S.=> No, there is NO EXCUSE for laziness - & budget conservation's just FINE, that is, until you are hit by a security breach, & then you face lawsuits galore, for negligence... think about THAT much, CIOs/CTO's... apk
Sorry... but it is about damn time. Security has gotten this halo around it, where those of lackluster abilities are setting the directions of company business based on the model of "OMG, a Bear!", while those of us analysts that actually produce information and analytics crucial to the company's success are sitting in the unemployment line. Too often have I seen developmental work that would introduce efficiencies into the organization blocked a security analyst who hasn't the first clue about the work I do. That, and too many of the folks I fired end-ran the non-compete and conflict of interest policies to get somewhere they won't get fired from, because they are "security".
0100010001101001011001 0100100000011010010110 1110001000000110000100 1000000110011001101001 0111001001100101