Slashdot Mirror
Shrinking Budgets Tie Hands of Security Pros
An anonymous reader writes "RSA Conference released the results of a recent survey of security professionals regarding the critical security threats and infrastructure issues they currently face, including those exacerbated by the current economic climate. The study indicates that even though practitioners are most concerned about email phishing and securing mobile devices, technologies addressing these needs are at risk of being cut from IT budgets. The survey also asked what technology investments will likely be bypassed or curtailed due to spending freezes and budget cuts."
The survey is reporting something that every single security professional that has managed a budged had known for a long time, even before the recession (except may be the preriod around Y2K)
:-)
The sad truth is, at most companies management sees security is an unnecessary cost that they reluctantly tolerate because of SOX and industry regulations like PCI-DSS. They are quick to point out that security does not earn profits (and forget that it actually protects the profits). So the CEO tells the CIO to trim his budget, and given the choice of keeping the servers functioning or users getting phished, the CIO opts for more pressing need. (at 99% of the places, the security function reports to the CIO or CTO but that is for another bitching session)
Then of course something goes wrong, and the security person gets yelled at because s/he did not do his job. So then the coffers open, and the company spends a ton of money that could have been fixed for less at the right time (TJX breach).
The solution lies with security pros: they need to frame their budget requests as business cases: if we do X, we will protect $Y of revenue (Point out that a data breach at company ABC cost them $ZZ). And if management does not fund the budget, have them formally, in writing, accept the risk.
And always keep your resume updated
When the budget cut has gone far enough to strip down all security, certificates expires, competence leaves ship and nobody really knows how it works anymore. Then the cybercriminals enters the systems and use them for their purposes.
And management sits there looking completely confused because they have cut down on the people knowing how to do security.
Especially bad is it if it's about having a system that handles large amounts of economic transactions and are storing credit card and personal information about a lot of people.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
People always seem to think Security is something you can BUY. You can't really 'purchase' security, all you can do is implement policies, and select tools to assist in creating and implementing those policies.
Most of these tools are free [is in beer AND speech].
One can create a secure organization with very little money.
There are a lot of unnecessary IT "expenses", like the latest BS convention ie: VoiceCon, InterOP, etc. Trim the fat from IT, and people will see what can be done for very little money.
We have a very paranoid security department where I work. On top of boot-level encryption, mandatory anti-virus software, various "agents" that try to predict whether or not you would in fact allow some strange program to do what it wants to do, system monitors that make sure everything is up to date and as it should be before you connect to the network, proxies that ban websites with harmful keywords and annoying pop-ups caused by blocking Active-X components, we still get several people throughout the week who report virus infections on their work PCs.
We have people who install Firefox to get around the IE settings so they can visit sites that they know are not permitted. We have people who browse torrent sites and adult sites and are "shocked" when we show them the links in the history. We've had people who blatantly admit "Yeah, I let my kids play on my company issued PC and they find ways around that stuff."
Maybe that's why the security budgets get cut. You can only secure so much until you secure it by locking out the user entirely.
Those who believe the Internet is private,
find their privates are on the Internet.
It's just that companies would rather buy something than use their highly-skilled security staff. Or maybe their security staff isn't so skilled, and that's why they require the expense of ridiculously expensive canned security software, vs. designing an infrastructure that makes sense and using the best of breed tools for the job mixing open source, in-house, and commercial stuff.
I have seen a lot of places that insist on buying a "solution" to the problem, when in fact the solution barely touches the problem. it works around a lot of things, but never really hits right on it. So you've spent a lot of money on something that doesn't really do the job of a person in that role.
The funny part about security is that for all it's sex appeal, real security is actually pretty boring. Oh the hotness of configuration management using tools that are already available on the windows or linux box. How your endorphins get moving at the sight of a patched on patch day. Or the sheer porn of being able to look at your log files and know that all is good.
We all love honeypots and whatnot, but those things need to come well after patching, configuration management, removing/pruning user administrative permissions, and controlling which software you allow, and strong authentication enforcement. This doesn't have to cost a lot of money.
-- Who is the bigger fool? The fool or the fool who follows him? --
The study indicates that even though practitioners are most concerned about email phishing and securing mobile devices, technologies addressing these needs are at risk of being cut from IT budgets.
A fat budget won't help you buy what you need to fix this problem: Smarter users.
#fuckbeta #iamslashdot #dicemustdie
This article isn't particularly informative, especially in regards to areas where spending will be reduced. This isn't a very effective way to assess the state of security -- to do that it must be within the context of the industry/business, and preferably to IT in general. If budgets are generally being cut by 20%, then the fact that security is doing that is nothing special. Further, budget is only part of the picture: institutional priorities are also very important. How is the allocation of staff time changing? What kind of changes are going on in terms of institutional strategic planning?
I'm fortunate to manage an IT department at a company that values security. We do routine audits and pen test our own systems -- occasionally we find a hole, and we fill it. I've never been pressured to skimp on security.
Other commenters may argue that security is not something that companies can "buy," and they're right, to a point. Expensive proprietary firewalls are, in my experience, no better (and sometimes far worse) than a properly configured linux box. But companies do have to "buy" security in the sense that they need to budget time to ensure that systems are properly configured. I can set up a linux firewall in a matter of minutes, but to do it properly (especially when it must allow VPN, SSH, access to multiple databases, limited FTP, etc.) it takes much more time.
If companies realize how much their data is (are?) worth, they should also consider what's at stake if it's stolen or misused. Security doesn't have to be the primary investment for most companies, but it must be a high priority. If it's not, eventually bad things will happen.
Facts have a liberal bias.
I wanted to get back to contracting and do some more security work, because I miss it.
I was stunned by the fact that so many companies are now not looking for professionals with low-level experience, like before, but rather for people who have experience in paperwork. ITIL, ISO xxxxx, bla, bla, bla.
It's as if people are not actually DOING security anymore, but are just writing and debating about it.
No wonder they have budget issues, when they don't know what they're doing, so they need to spend lots of money to cover it.
Deja vu.
In June of this year, my employers had a major business continuity scenario - an electrical fault with the UPS took out a lot of desktops, several servers and most of our network connectivity on one phase. This was at 6PM on a Friday. Not only is it incredibly hard to get your standard suppliers to ship any replacement gear for the following day on a weekend, its incredibly hard to actually get to talk to anyone! Now, I only recently took over the infrastructure management role, and one of my first goals was to put into place a proper Business Continuity plan. We have alternative premises with a major continuity provider on contract, but we have no plan and our actual capacity requirement now far exceeds what it was when the original alternative premises arrangement was put in place.
When this event happened, we were in a very touch and go situation - we did not know if we could recover the business for opening on Monday. And we are extremely IT reliant!
To cut a long story short - through putting in a lot of extra hours that weekend, and a lot of travelling to various IT shops within a 50 mile radius, we managed to get the business back to the point where we could open on the Monday without visible issue.
When that event happened, my BCM plan had been on the desks of the company leadership for a month. After that event, it got bumped up to the next board meeting. And at that board meeting, the entire plan was indefinitely postponed due to funding. No intermediate plan was asked for, no alternative. The plan had several different levels of expenditure to choose from, and they ignored all of them.
Barely one month after a 'can we continue to run the business' situation, the board rejected the plan which would have made that situation a non-issue, even at the cheapest option.
I now have several interviews elsewhere. The sooner I can get out of here, the better.
Posted anonymously for obvious reasons.
No one has enough money in the budget for security, until a break-in nearly disables them. What are the chances? (Fire your security staff, and find out!)
Similarly, making copies of Windows to deploy on your business floor and ask "what are the chances?" and you'll find out. *I*didn't*call*, but a year or so after I left, I was told the company trying to get ME to pirate Microsoft Windows 98 got a visit from the BSA. And as you all know, they don't leave without a fire alarm being pulled or a $100,000 check.
When the budget thins, you cut extras; security isn't an extra. Though, putting Ubuntu on your Windows boxes will save you some real cash. And help security.
--- For a good time mail uce@ftc.gov
First, you are assuming that the security pro actually gets an opportunity to explain the risks. You'd be surprised how rare that is.
Next: if you do a great job and nothing happens, management actually starts wondering why a security person or department is needed. Lastly, and most importantly as the grand-parent pointed out:
- the dollars are finite.
- if there is an order to cut budget, do you think it will be [a] lay off the windows guy, or [b] lay off the security guy and have the windows guy do some of the security work?
If you pick [a], you don't know how security is viewed by management
At least it has been for several decades. The current economy has just made that worse. People are worried that if you have a bad quarter your stock will go in the toilet and kill your company. However, the flip side is getting earnings as best as possible from quarter to quarter, without regard to the fact that if you invest a little more now, you might get a huge windfall 3 years from now.
Security for companies is the same as security for that poor family in the inner city. It would be nice to have a security system to protect them, but there is just no money to spend on it.
"All great wisdom is contained in .signature files"
Everyone knows that computer security is provided by AntiBaddness software that magically cleans all badness from your computers. Money is much better spent on applications that look pretty.
Having to work for a living is the root of all evil.
That old adage is eternally true... "the squeaky wheel gets the grease". The Windows guy that fixes stuff is seen as more valuable than the guy who prevents those things from going wrong in the first place. It's simply a human weakness. Reaction is observable, prevention isn't.
My blog. Good stuff (when I remember to update it). Read it.
Infosec has jumped the shark.
- There are too many nitwits in the community. So much money has been wasted on the posers.
- Premium capital for "the best protection" (which is still vulnerable) vs. moderate capitol and common sense (which is still vulnerable). The latter wins in this economy.
- Don't play the TJX card, either... their stock went up, their customers numbers have risen; no one cares about that breach (or no one cares thats been LOUD enough). If the bottom line wasn't really affected that much over that breach and exposure, its simple to understand why bean-counters moderate infosec purchases in the name of profit.
- the biggest problem is the users. And nothing infosec does will stop stupid people from being stupid.
Its difficult to counter the above perceptions, regardless if the perception is right or wrong. I don't think it will get much easier to counter those perceptions.
Sometime they don't want to understand and they don't want to know. They are not negligent if they did not know, they have insurance against theft. Lots of business might be happier locking the door with a deficient (but not terribly so) and figure on filing an insurance claim if something even happens than with spending $$$ to build the uncrackable system.
When the insurance industry starts doing IT security audits and adjusting rates accordingly you will Management change their minds on security spending.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Sorry... but it is about damn time. Security has gotten this halo around it, where those of lackluster abilities are setting the directions of company business based on the model of "OMG, a Bear!", while those of us analysts that actually produce information and analytics crucial to the company's success are sitting in the unemployment line. Too often have I seen developmental work that would introduce efficiencies into the organization blocked a security analyst who hasn't the first clue about the work I do. That, and too many of the folks I fired end-ran the non-compete and conflict of interest policies to get somewhere they won't get fired from, because they are "security".
0100010001101001011001 0100100000011010010110 1110001000000110000100 1000000110011001101001 0111001001100101
That old adage is eternally true... "the squeaky wheel gets the grease". The Windows guy that fixes stuff is seen as more valuable than the guy who prevents those things from going wrong in the first place. It's simply a human weakness. Reaction is observable, prevention isn't.
You should be moded +20 insightful. I work for a living (well below my education) building pools (I love it, actually).
A friend and I run a server together part time. He is a good problem solver, while I am good at avoiding them. I do more work on the server because I read various security related websites and blogs (/. [LOL!!!] cDc, governmentsecurity.org et al... Sorry, my bookmarks are on my work PC). My work on the server is done through a "test box" and then applied after. All my friend's work is done on the real box. Guess who is more "revered" by MGT? Not me, the guy whom prevents 10,000 attacks a month - the guy that fixes one is god there. The reason that they don't fire me, is that they see me as extremely helpful to my friend by reading logs, etc.
Here's the clincher, I got him his job. I taught him what he knows.
The Illuminati would kill me, but I'm not rich enough to take notice of.