IT departments are continually looking to upgrade their network security, but often have limited budgets. As management continues to lower funding for information security initiatives, IT staff must look for ways to spend dollars that will get them the most bang for the buck. Here, Knowledge Center contributor Jon-Louis Heimerl offers five tips for IT professionals on how to strengthen their network security on a smaller budget.
Times are tough. The economy is down. Spending is controlled. And your budget is cut. Specifically, your security budget has been hacked to pieces because ROI for security is a pretty tough sell. As management continues to decrease funding for IT and information security initiatives, IT professionals need to focus spending dollars where they will get the most for their money.
The reality is, in today's economy, information security professionals must do more with less funding, less training and, more often than not, not enough internal staff to support the organization's business requirements. So, as IT budgets continue to shrink, how can you secure your network? Here are five tips on how to improve your security program by doing more with less.
Tip No. 1: Share the load
Chances are there are a variety of groups within your organization that have some responsibility for information security. At most kickoff calls, attendees include representatives from several different business units who are all required to provide project support.
Start identifying people now from areas besides the information security group such as audit (yes, audit), IT, human resources and legal to determine if your current initiatives match theirs, and then consolidate. You will need as much leverage as possible to support your needs and requirements, so partner with your internal people to see how they are planning to meet their requirements. See if you can leverage resources to achieve a common goal.
For example, if you have any PCI
(Payment Card Industry) initiatives, did you know that if you have people who are trained to perform external penetration testing, you do not need to hire an external firm to meet your 11.3
requirements? You just need to make sure your people scope the environment accurately, and then work with your PCI assessor and your internal audit group to determine if they will accept the report. Save any dollars here for application security testing or any other initiative that requires specific expertise.