Times are tough. The economy is down. Spending is controlled. And your budget is cut. Specifically, your security budget has been hacked to pieces because ROI for security is a pretty tough sell. As management continues to decrease funding for IT and information security initiatives, IT professionals need to focus spending dollars where they will get the most for their money.
The reality is, in today’s economy, information security professionals must do more with less funding, less training and, more often than not, not enough internal staff to support the organization’s business requirements. So, as IT budgets continue to shrink, how can you secure your network? Here are five tips on how to improve your security program by doing more with less.
Tip No. 1: Share the load
Chances are there are a variety of groups within your organization that have some responsibility for information security. At most kickoff calls, attendees include representatives from several different business units who are all required to provide project support.
Start identifying people now from areas besides the information security group such as audit (yes, audit), IT, human resources and legal to determine if your current initiatives match theirs, and then consolidate. You will need as much leverage as possible to support your needs and requirements, so partner with your internal people to see how they are planning to meet their requirements. See if you can leverage resources to achieve a common goal.
For example, if you have any PCI (Payment Card Industry) initiatives, did you know that if you have people who are trained to perform external penetration testing, you do not need to hire an external firm to meet your 11.3 requirements? You just need to make sure your people scope the environment accurately, and then work with your PCI assessor and your internal audit group to determine if they will accept the report. Save any dollars here for application security testing or any other initiative that requires specific expertise.
How to Strengthen Network Security on a Smaller Budget
title=Hire the Expertise You Need, Not What You Might Want}
Tip No. 2: Hire the expertise you need, not what you might want
Many organizations think a one-time cost (aka, buying technology) will solve “the problem.” It is easier to think an internal scanner will resolve an issue because it is a tangible thing. The problem with this way of thinking? Integration, implementation, training and maintenance can be very expensive.
If you don’t have the expertise in-house to support the purchase right out of the box, why not put the decision on hold for one year and hire an external company whose expertise you need, without having to expend capital? At the very least, you can learn from what they do and use that information to better plan a future solution.
Let’s take that internal scanning requirement as an example. Thanks to the PCI DSS, you may want a scanner to meet a requirement. However, you may not have an employee who is qualified to run the scanner and remediate the vulnerabilities. Having the piece of technology is only half of the battle.
The business requirement remains but you don’t have the people who have immediate or deep expertise. Try outsourcing scanning for one year to evaluate all solutions before you invest dollars in a permanent purchase. This allows you to evaluate what your business requirements are in the long term and determine if your organization can best support the business with an in-house solution (internal scanning, in this example) or with an MSSP ( managed security services provider). Ask yourself which solution lets you focus on what you and your group do best, while outsourcing what your vendors do best. This way, you remain focused on exactly what your business needs.
How to Strengthen Network Security on a Smaller Budget
title=Pick the Right Managed Security Services Provider}
Tip No. 3: Pick the right MSSP
An MSSP should show you a clear path to meeting your business goals and prove that its solutions meet your business requirements and save you money. Any MSSP or other vendor should bring value to the organization. Any proposal should detail methodologies and technical strategies that are suitable for your specific needs.
Don’t tailor your business to meet the MSSP; select an MSSP that can truly meet your needs. Your success will come from having chosen the best solution for your business requirements, which means the solution must show thought leadership (beyond just the latest technology) and a clear road map. This will allow you to focus on your areas of expertise-your business. Outsource what you must, and leverage outside MSSPs and consultants to do what they do best.
Tip No. 4: Hire a partner, not a vendor
You need to partner with an external company with which you can find solutions that you need now, but also remember to plan for the future. Will you have an internal point of contact with which to work? Are the managers and executives available and involved so you can determine the level of customer service? Pick external companies that can show technical depth-as well as a plan for the future-so that you can ensure that their future plans meet yours.
Tip No. 5: Invest-yes, invest-in your team’s technology and information security training
Nothing causes disruption like employee turnover. People need to know that they are valued-an acknowledgement that most information systems and security professionals appreciate. So be creatively proactive with a training agenda. Leverage Internet training and local ISSA (Information Systems Security Association) meetings. Create study groups for CISSP (Certified Information Systems Security Professional) or other professional services certifications. Conduct internal lunch-and-learns.
At the very least, encourage staff to keep up on technology and security, and then actually give them time to do so. Ask your vendors for help as part of their contracts. Now is the time to let your good employees know that their concerns are yours. Turnover will cause your organization more than the actual cost of the training.
It’s critical to not lose sight of what is important to your company’s survival, especially during these difficult economic times. Your network can still be secure, even on a smaller budget.
Jon-Louis Heimerl is Director of SAAS Development for Solutionary, Inc. Jon-Louis has over 25 years of experience in security and security programs. His background includes everything from writing device drivers in assembler to running a worldwide network operation center for the United States government. Jon-Louis has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. His consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises. He can be reached at jonheimerl@solutionary.com.