06:44 PM
Connect Directly
Repost This

Rejiggering IT Security Budgets For Better Perimeter And Systems Control

Put the 'boring' blocking and tackling tools before shiny new expenses

As is the case in any other business, IT security leaders must contend with finite resources. As a result, they must depend on smart decisions about where to target their budgets to ensure they leave as few gaps as possible. The only problem, and one that security folks have dealt with for years, is they tend to be seduced by the latest innovation rather than the fundamental management tools necessary to implement enough control over network and system infrastructure to properly manage their risks.

"When it comes to security budget, security organizations are very much like my children: They want to buy whatever they've seen last and is shiny and new and promises unbelievable results," says Alan Shimel, managing partner of The CISO Group. "A serious dose of pragmatism and maybe just a little maturity would go a long way."

Shimel says he has written about it and stomped his feet until blue in the face, mostly to no avail. It's a trend that Eric Cowperthwaite, former CISO of Providence Health and Services and now CORE Security's vice president of advanced security and strategy, has seen unfold time and again.

[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]

"All too often the spending is on things that will provide for compliance with laws and regulations or that are glitzy and sexy and in the trade news a lot," he says, explaining that an organization may make big investments in next-generation firewalls or a huge single-sign-on system while failing to attend to simple tasks, such as patch management or configuration management, on their systems. "We see organizations being exploited by social engineering and the compromise of systems that were not patched, even though the vulnerability was known for weeks, even months."

On the network side, network change management and firewall rules management fall squarely within this "blue-collar, meat-and-potatoes" kind of security management market, Shimel says. "It's just not as sexy to the guy who is looking for the security flux capacitor," he adds.

Management tools that offer more network controls and enable policy orchestration are foundational, but may be a budgetary afterthought. And the more they're back-burnered, potentially the harder it will be politically to add them in after the fact. As Shimel explains, if an organization spends several million during the course of two to three years to pick up next-generation firewalls and update traditional firewalls, coming in after that is done and asking for another half-million dollars for firewall management to keep the rules properly configured on those systems may anger the CFO or CIO. But as IT organizations look into more iterative devops processes that require changing the network more frequently than ever, and as they start to dive into such projects as software-defined networking to increase the dynamic nature of the network, they may well be forced to bake in security and change management into the budget cycle much earlier in the process, says Jody Brazil, president and CTO of firewall management firm FireMon.

"All of these great things get spun up at the click of a button within minutes of saying go, and then either the access doesn't exist, the access control systems aren't in place, or the reverse," Brazil says. "Access is automatically allowed, but now you don't have scanning set up to run against this new system, or the IPS isn't configured in tune for the fact this is a new application."

Brazil believes that as organizations are dragged into this more "operational world" of networking, security management is getting thrust front and center. He believes the tide is shifting, however, as he sees clients begin to worry more about those security management needs first before sparing change for those shiny new toys. For example, he mentions a customer in the federal space that is engaging his company before putting in a new slate of network security tools and next-generation firewalls, so the agency can lay the groundwork for day-to-day controls first.

"Security management is becoming part of that budget conversation," he says. "Whereas we often used to get brought in after the fact, they're starting with management and saying, 'Let's get this figured out first. Then we'll worry about expanding the rest of the infrastructure.'"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Apprentice
11/14/2013 | 7:29:21 PM
re: Rejiggering IT Security Budgets For Better Perimeter And Systems Control
As Shimel says firewalls may not be as sexy as other IT priorities, but considering the evolving threat landscape the granular nature of next gen firewalls (i.e. Sophos UTM is crucial in protecting the enterprise network and ensuring that education efforts are on the market.

Peter Fretty
User Rank: Apprentice
10/15/2013 | 8:00:36 PM
re: Rejiggering IT Security Budgets For Better Perimeter And Systems Control
It would be a great shift in enterprise security if software-defined networking and devops lead organizations to design security in from the start. Too often, security teams are left out of design discussions.
User Rank: Apprentice
10/15/2013 | 7:22:00 PM
re: Rejiggering IT Security Budgets For Better Perimeter And Systems Control
Ericka, timely post as we are heading into the end of the year and gearing up for 2014 budgets. Security management must be thinking about these items and ensuring they are not only asking for the right solutions, services, and resources, but also backing it up with data.
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web