Security technology spending is at an all-time high. Determining the right strategy to reduce cost is essential to security planning and any CISO’s agenda. Consider implementing the 7 following ways to optimize new security technology investments.
- Consolidating security vendors for particular solutions will reduce cost as a result of volume discounts and costs associated with increased complexity, risk, down time and staff management.
- Reducing the number of endpoint agents will reduce cost by decreasing the complexity of the environment, testing cycles per agents, and administrative staff time required.
- Negotiating hardware and software licensing costs as well as security professional services for longer periods of time allows security vendors to reduce paperwork and management costs, which in turn can be provided back to the organization.
- Implementing adequate security protections can reduce costs associated with employee productivity loss, security breaches, as well as the IT labor costs associated with endpoint infections, managing signatures, false positives, tuning, etc.
- Using automated software to provide agent updates, tuning, patches, and signatures reduces costs associated with employee productivity loss and IT labor management.
- Reducing complexity of the environment by consolidating consoles for items such as endpoint and network technology, logging, or security configuration management provides faster access to relative data and possible security incidents. Less complexity and faster access reduce costs by decreasing the infection rate and reducing the IT labor management.
- Focusing on the primary business while outsourcing certain security functions should be evaluated regularly. Some costs may be reduced by avoiding security infrastructure and software costs as well as additional IT labor and training costs.
Whether defending against common malware or some determined Nation State, being able to proactively detect attacks and changes in the organization are required. The past year I spent a large amount of time helping several organizations setup and put in place the right people, processes, and technology to help defend against increasing security threats. Although many organizations spend millions of dollars on technology and hire staff to monitor security 24/7 the organizations were still lacking two fundamental items.
- The people although good at monitoring lacked the attack and threat mind set. The staff was not able to figure out when an actual attack was happening.
- Second the organizations lacked the basic security operations processes required to keep track and make appropriate use of the vast amounts of data.
As a result I spent the past few months developing a whitepaper that specifically addresses the primary components of a SOC, which can be used to help organizations setup a centralized core and embark on developing the correct operational processes. Although I don’t address item number one above, this paper explains in detail the following.
- Defining the SOC
- Determining the Processes
- Understanding the Environment that needs protected
- Identifying the SOC Customers
- Staffing the SOC
- Managing the Events
- Leveraging ITIL compliance
Creating and Maintaining a SOC – The details behind successful Security Operations Centers
If your organization is under attack and you have invested in more people and technology be sure to implement the right processes and build a foundation for future defense.
I have been using this blog to track a good amount of search hits looking for security staffing and governance. Unfortunately when you search there is not much out on the Internet. If anyone is interested let me know and I will start an open source project off this blog to create a governance and staffing solution/program.
For those that have little or no knowledge in this area I suggest you review the Security Task Force documentation and the EDUCAUSE updates located here:
EDUCAUSE Information Security Governance Assessment Tool
For an open source program I would like to build of the current work, but also provide a lot more emphasis on the organizational charts and the roles and responsibilities. If you are interested please let me know and we can get everyone together and create an updated model for multiple industries.
The polls are open!
While visiting this site please check out the new IS Management page and contribute to the voting polls.
If you would like to see new or different polls added let me know.
This whitepaper has a good overview of key components of a risk based security plan, which have been put into practice on several occasions. This provides good direction with a decent amount of detail.
Site Requires Registration:
The document is about 12 pages explaining the steps for performing a risk assessment to developing a security plan to determining security budget.
One of the key problems a security manger must tackle is defining the budget for security training. Many awareness program guides break it out into a method similar to the following:
- Identify security roles and responsibilities
- Conduct a needs assessment
- Identify the gaps
- Develop and implement the training plan
The key step here is the identification of roles and responsibilities. Identification of security roles and responsibilities is probably one of the most important fundamental aspects to a successful security program. Although, writing sample roles and responsibilities or breaking out each of the above steps is not the focus of this topic, it is important when defining the core security staff’s training to build on the role definitions by creating a skills identification table. A skills identification table will work for most organizations because it provides a quick profile of each security professional. To create a skills identification use excel or a similar program and setup a structure similar to the one shown in the table below.
List each employee in the security program in the left column and then ask each one of them to fill in their certifications and training. Columns should be added for all security certifications and training associated with employees. This information will provide the security leader with the organizations current security capabilities. It will also be easier for the security leader to assign the appropriate personnel to security issues based on their training and certifications. For career planning you could also expand this model to include a section for desired certifications, training, or expertise.
Applying to Budget
Now that each employee has provided their information the identification table can be used to help with the annual training budget. Ideally the security leader should set the annual training budget for at least one training session a year for each employee. The security leader should also take one training a year, but if cost becomes an issue than offset the security leader training by attending conferences and conventions. If possible training schedules and classes can be used to prepare for new corporate projects by attending training with specific project needs. Otherwise training should be defined with each employee based on their career goals and the goals of the organization.
Depending on the size of the core security team an average week of training may cost anywhere from $2500 to $5000 depending on location and accommodations. To define and annual budget take the number of staff and budget for the $5,000 per person annually. For example, 5 core security staff should have an annual budget of $25,000 dedicated solely to security training. Determining the actual classes beforehand will help predict the budget more accurately and possibly save costs on travel. If you are in a large organization, especially one that is decentralized the budget may increase significantly. One way to reduce the cost is to identify key security gaps, such as application security, and pay for onsite training. In this situation budgeting will have to be performed by contacting a vendor(s) to obtain pricing quotes. Keep in mind there may be an issue with taking a large amount of employees away from their regular work.
Overall there are several advantages to this staffing and budgeting approach. One immediate advantage of increasing the security training may be reduced consulting costs. Another advantage will be increased employee morale, as well as improvement of overall security.
There is an article on The Register web site claiming security spending has soared to 20% of the IT budget. This is based on a poll of 1070 organizations.
It is a shame the article doesn’t provide more detail. It would be nice to know the industries surveyed, size of the organizations, and all of the categories assessed. Does this review include staffing, business continuity, disaster recovery, Application security, etc.?
My experience shows that most organizations can’t account for the actual security dollars spent. When evaluating IT security within an organization, excluding physical security and business continuity, most organizations I review are in the 1% to 5% range of the IT budget with the exception of the major financial firms and a few others. These numbers are also pretty much in line with the CSI/FBI annual surveys conducted.
- What is your experience?
- Can you account for your total security budget?
- What does that budget include?
Unfortunately this area of security is still lacking in the amount of free information available to the public and many of the assessments are limited to less than 1000 respondents. I would be happy to post some links on this site if anyone has some good free resources or whitepapers.
Risk Assessments almost always produce one finding consistently. The finding is lack of roles and responsibilities defined. The ISO 17799/27001 documents provide some guidance, but in many cases organizations do not know how to define clear security roles and responsibilities. Before writing this I went through about 20 different organization policy documents to see if any listed roles and responsibilities the same. In most cases I noticed three solutions.
This solution did not include clearly define roles and responsibilities. These documents contained few responsibility statements that were scattered through all different areas of the main security policy or policies.
Solution 2 was the most consistent across all documents reviewed. This solution usually defined three specific roles and responsibilities. These are information owner, information custodian, and information user. Each of these three roles had several statements defining their responsibilities, while there were additional statements scattered through all different sections of the policy document.
Solution 3 was more consistent on policy documents that are broken up into smaller documents or much shorter in overall length. This solution usually had specific roles such as Firewall Administrator, CSO, System Administrators, Compliance Officer, Audit, etc. In most cases each of these roles had several bulleted responsibilities listed.
The best solution is the one that works within your organization and causes less confusion. If risk assessments are performed regularly then make sure the roles and responsibilities are written address the risk assessment requirements. Two methods usually work.
The first is to combine solution 2 and 3 and write a separate roles and responsibilities document or section of the overall policy. This way there are many roles and responsibilities defined, which are easy to find because they are listed all in one place.
The second is to use solution 2 near the beginning (or in a separate policy document) of the policy document then in each different section of the policy (or each smaller policy document) write a roles and responsibilities sub section with more detailed roles.