How to optimize your security budget

As a result, we’re seeing enterprises turn to IT consulting and system
integration firms for advice on how to get the most out of their
security budget. By planning ahead and aiming to enhance operational
efficiencies, organizations can prioritize expenditures and implement
programs to increase their security posture.

I’ve been asked on numerous occasions to provide advice on the one
thing organizations can do to improve security. While improvements to
security are no doubt multi-pronged, my best one-item recommendation is
for organizations to build a strong security program and risk
management strategy.  This program would have multiple elements
including strong governance, an oversight committee and a well-executed
educational program.  In addition, the security management program
should be mapped to best practice standards like ISO 27001 and contain
embedded procedures for ensuring security is built into the fabric of
IT.

In addition to that one major recommendation, in times of strapped
resources and scrutinized expenditures, organizations should prioritize
their budgets so as to best do the following:

Understand and protect against risk
According to Warren Shiau, lead analyst, IT Research with The Strategic
Counsel in Toronto, an important rule of thumb is that technology is
applied to automate processes, and that if you apply technology to
broken processes for security you don’t accomplish much. It’s crucial
to understand things before you get into applying technology —
including what risks you’re facing and the sources of those risks in
your processes — and then map out how you will use technology to help
mitigate risk.

As always, proactive (rather than reactive) security strategies are
preferred, and it’s recommended that organizations adopt a tiered
protect/detect/respond strategy for optimal coverage. A vulnerability
assessment can give senior executives a view of their company’s
information security risk profile — complete with red flags,
recommendations for remediation and budgetary priorities. In addition,
risk and vulnerability management solutions can help eliminate network
exposures, provide up-to-date endpoint and network intelligence and
help drill down on root cause issues.


Consolidate to gain operational efficiencies
Good news first: The majority of organizations that have implemented
defense in depth, layered security with risk management strategies have
a lot of the elements necessary to improve their security posture.
However, the downside is that processes and people still remain one of
weakest links in security improvement.

Misconfiguration and poor implementations have paved the way for
vulnerable systems that could be compromised or breached. To help
create an adaptive and secure infrastructure — able to withstand both
external and internal threats — organizations should look to provide
operational efficiencies by consolidating and simplifying their
security management systems. This gain in efficiencies, along with an
inherent knowledge of operational aspects of management, helps reduce
the risk that people play in system management — simultaneously
maximizing skills and resources to save money in the long-term.

Utilize endpoint security
While companies have beefed up network security over the years,
endpoints like mobile PDAs, BlackBerries, remote or unmanaged desktops
connecting to corporate networks, small form factor devices and laptops
can still pose security threats (not to mention threats of lost
intellectual property due to loss or theft). Consequently,
organizations should plan a program to address data protection
including device encryption, host-based security and data loss
prevention to protect intellectual property.

Implement network access control
Network Access Control (NAC) enforces endpoint security policies by
setting a baseline of who’s allowed on the corporate network, as well
as what services they are allowed to access. Contractors, guests,
non-compliant devices and infected systems can be identified and then
granted or denied permission based on corporate policy. For example, a
guest on the network may be allowed guest access to the Internet only,
quarantined for remediation or blocked entirely. A layered defense
approach factors in port-based security and corporate baseline policies
in conjunction with system and network based protection.  

A final piece of advice from Shiau addresses a security trend his firm
has been seeing. Many businesses still associate the term “security
threat” strictly with viruses, he explains, but what he’s actually seen
over the past several years is a threat shift toward internal breaches,
encompassing both planned criminal/illegal activity and inadvertent
data/information loss.

A large number of the highly-publicized data/information losses over
the past few years have boiled down to lax control, policy and
operating procedures. Processes and people do not naturally gravitate
toward secure behaviour — they gravitate toward getting their work done
or doing whatever’s most convenient. For that reason, policy and
enforcement are absolutely critical aspects of security, he says.

With the following guidelines in mind, companies can steer IT spending
— and get in the fast-lane toward a more flexible, adaptive and
holistic security strategy.

Darryl Wilson is the Regional Practice Director for Dimension Data Canada.