Shrinking Budgets Tie Hands of Security Pros

An anonymous reader writes "RSA Conference released the results of a recent survey of security professionals regarding the critical security threats and infrastructure issues they currently face, including those exacerbated by the current economic climate. The study indicates that even though practitioners are most concerned about email phishing and securing mobile devices, technologies addressing these needs are at risk of being cut from IT budgets. The survey also asked what technology investments will likely be bypassed or curtailed due to spending freezes and budget cuts."

Budget has always been a problem

[walmass]

The survey is reporting something that every single security professional that has managed a budged had known for a long time, even before the recession (except may be the preriod around Y2K)

The sad truth is, at most companies management sees security is an unnecessary cost that they reluctantly tolerate because of SOX and industry regulations like PCI-DSS. They are quick to point out that security does not earn profits (and forget that it actually protects the profits). So the CEO tells the CIO to trim his budget, and given the choice of keeping the servers functioning or users getting phished, the CIO opts for more pressing need. (at 99% of the places, the security function reports to the CIO or CTO but that is for another bitching session)

Then of course something goes wrong, and the security person gets yelled at because s/he did not do his job. So then the coffers open, and the company spends a ton of money that could have been fixed for less at the right time (TJX breach).

The solution lies with security pros: they need to frame their budget requests as business cases: if we do X, we will protect $Y of revenue (Point out that a data breach at company ABC cost them $ZZ). And if management does not fund the budget, have them formally, in writing, accept the risk.

And always keep your resume updated :-)

And then there will be a price to pay.

[Z00L00K]

When the budget cut has gone far enough to strip down all security, certificates expires, competence leaves ship and nobody really knows how it works anymore. Then the cybercriminals enters the systems and use them for their purposes.

And management sits there looking completely confused because they have cut down on the people knowing how to do security.

Especially bad is it if it's about having a system that handles large amounts of economic transactions and are storing credit card and personal information about a lot of people.

Re:And then there will be a price to pay.

[Hammer]

And all of this is because IT never seems to be able to make management understand :
1) Security is not a cost but an insurance.
2) PHB's will never adhere to simple guidelines as to what is safe.
3) The bad guys are out there

Can't budget for human stupidity

[oahazmatt]

We have a very paranoid security department where I work. On top of boot-level encryption, mandatory anti-virus software, various "agents" that try to predict whether or not you would in fact allow some strange program to do what it wants to do, system monitors that make sure everything is up to date and as it should be before you connect to the network, proxies that ban websites with harmful keywords and annoying pop-ups caused by blocking Active-X components, we still get several people throughout the week who report virus infections on their work PCs.

We have people who install Firefox to get around the IE settings so they can visit sites that they know are not permitted. We have people who browse torrent sites and adult sites and are "shocked" when we show them the links in the history. We've had people who blatantly admit "Yeah, I let my kids play on my company issued PC and they find ways around that stuff."

Maybe that's why the security budgets get cut. You can only secure so much until you secure it by locking out the user entirely.

Re:Can't budget for human stupidity

[Lord_Frederick]

If the grandparent's organization is anything like mine, the issue isn't the lack of technical solutions for locking down computers. It's the unwillingness of managers to put their neck on the line and sign off on suggestions like this.

Re:Can't budget for human stupidity

[Hammer]

Parnoid and smart ?? Or Just Paranoid?.

Many IT-departments implement mandatory password changes and antivirus
Also common is various filter programs

Automated PW changes are actually counterproductive according to several studies as it makes the selected passwords more predictable. Better to educate users as to what is a good PW

Antivirus is a good thing and should be in place if you use windows

Filters DOES NOT WORK. At least not as intended.

The only thing that works in the long run is education. And harsh punishment :-)

bullshit

[SCHecklerX]

It's just that companies would rather buy something than use their highly-skilled security staff. Or maybe their security staff isn't so skilled, and that's why they require the expense of ridiculously expensive canned security software, vs. designing an infrastructure that makes sense and using the best of breed tools for the job mixing open source, in-house, and commercial stuff.

Cheaper than the alternative . . .

[grahamsaa]

I'm fortunate to manage an IT department at a company that values security. We do routine audits and pen test our own systems -- occasionally we find a hole, and we fill it. I've never been pressured to skimp on security.

Other commenters may argue that security is not something that companies can "buy," and they're right, to a point. Expensive proprietary firewalls are, in my experience, no better (and sometimes far worse) than a properly configured linux box. But companies do have to "buy" security in the sense that they need to budget time to ensure that systems are properly configured. I can set up a linux firewall in a matter of minutes, but to do it properly (especially when it must allow VPN, SSH, access to multiple databases, limited FTP, etc.) it takes much more time.

If companies realize how much their data is (are?) worth, they should also consider what's at stake if it's stolen or misused. Security doesn't have to be the primary investment for most companies, but it must be a high priority. If it's not, eventually bad things will happen.

Re:simple things can be done...

[karnal]

We all love honeypots and whatnot, but those things need to come well after patching, configuration management, removing/pruning user administrative permissions, and controlling which software you allow, and strong authentication enforcement. This doesn't have to cost a lot of money.

Actually, doing all of these things does cost money - you need to have someone hired on that can do all of these things, and you have to pay them a salary.

In the long term, it's not a lot of money. But short term thinking appears to be taking over in this economy. Especially if there's no immediate threat deemed by Management in not having basic safeguards in place.

Re:budget?

[Seth+Kriticos]

Depends on how you see it. Users are dumb, so if you spend your money to train your staff and make them just a tiny bit smarter, then your investment is worth it.

On the other hand, if you search for a purely technical solution, you are borne to fail, there I agree with you.

Sadly management often does not have the foggiest idea on how to allocate resources in a smart way in this area, so I don't expect the situation to improve any-time soon.

Not just security pros...

In June of this year, my employers had a major business continuity scenario - an electrical fault with the UPS took out a lot of desktops, several servers and most of our network connectivity on one phase. This was at 6PM on a Friday. Not only is it incredibly hard to get your standard suppliers to ship any replacement gear for the following day on a weekend, its incredibly hard to actually get to talk to anyone! Now, I only recently took over the infrastructure management role, and one of my first goals was to put into place a proper Business Continuity plan. We have alternative premises with a major continuity provider on contract, but we have no plan and our actual capacity requirement now far exceeds what it was when the original alternative premises arrangement was put in place.

When this event happened, we were in a very touch and go situation - we did not know if we could recover the business for opening on Monday. And we are extremely IT reliant!

To cut a long story short - through putting in a lot of extra hours that weekend, and a lot of travelling to various IT shops within a 50 mile radius, we managed to get the business back to the point where we could open on the Monday without visible issue.

When that event happened, my BCM plan had been on the desks of the company leadership for a month. After that event, it got bumped up to the next board meeting. And at that board meeting, the entire plan was indefinitely postponed due to funding. No intermediate plan was asked for, no alternative. The plan had several different levels of expenditure to choose from, and they ignored all of them.

Barely one month after a 'can we continue to run the business' situation, the board rejected the plan which would have made that situation a non-issue, even at the cheapest option.

I now have several interviews elsewhere. The sooner I can get out of here, the better.

Posted anonymously for obvious reasons.

Re:Security professionals are like managers

There is a great imbalance of power between a security person and the bean counters, and a fundamental difference in attitude to security.

First, you are assuming that the security pro actually gets an opportunity to explain the risks. You'd be surprised how rare that is.

Next: if you do a great job and nothing happens, management actually starts wondering why a security person or department is needed. Lastly, and most importantly as the grand-parent pointed out:
- the dollars are finite.
- if there is an order to cut budget, do you think it will be [a] lay off the windows guy, or [b] lay off the security guy and have the windows guy do some of the security work?

If you pick [a], you don't know how security is viewed by management

Re:I've seen this cycle before

[mlts]

In a recession, security is the last thing a business should cut.

The unemployment rate is high. This means that people who wouldn't think of things in normal times would turn to other means to supplement their income to keep a roof over their family's heads. So, someone who would normally give the finger to someone overseas asking for brief use of a username/password for $500 would happily give it in these times in order to keep the repo man away for another month.

More criminal organizations (domestic and overseas) realize there are profits to be made in capturing data stolen laptops for not just hardware, but the data on the machine. The data can be sold, or used to blackmail or extortion.

Employees are more likely to be disgruntled due to layoffs and cutbacks. So, vandalism and outright internal theft is on the rise.

There are a lot more regulations than before that make companies face shareholder lawsuits and corporate officers face prison time should a major breach occurs and a breach in process found.

Software CD keys are worth money, and a divulged volume CD key can force a company to re-buy every single license of a product as per EULA stipulations.

Outside attacks are more and more sophisticated as time goes on. To use an auto analogy, car companies are not using the same disc cylinder used on autos in the 1950s; they have moved to sidewinder cuts and "laser cut" keys. Same with security. A company has to keep abreast of new threats as a matter of life, just as CCTV cameras and bump-resistant locks on the doors are now the standard.