Dark Reading Radio
Getting the Most Out of Your IT Security Budget
Date / Time: Wednesday, May 18, 2016, 1:00 p.m. New York/10:00 a.m. San Francisco
Overview:
The more security products and technologies you buy doesnt necessarily make your organization more secure. Investing in the right tools and talent to oversee and operate the security architecture is key. In this episode of Dark Reading Radio, Patrick Heim, head of trust & security for DropBox and former CISO at Kaiser Permanente, and Jonathan Trull, VP and CISO of Optiv, and former CISO of the State of Colorado, will share their experience and insight into how organizations can get the best bang for their security buck for a stronger security posture. Join Executive Editor Kelly Jackson Higgins and the entire Dark Reading team in this timely discussion.


The audio player will load automatically when the radio show audio begins. Some corporate networks block the sort of streaming audio content used by this player. Please make sure you have the latest version of Adobe Flash for your Internet browser via Adobe's web site. If the player loads but you are not able to hear the live audio, you may still be able to hear the archived audio after the live program begins by returning to this page. Please try refreshing your browser a few times if you still cannot hear the audio. More Troubleshooting
Live Chat
You must login to participate in this chat. Please login.

Thanks for having me on.

Apprentice

We're at the top of the hour, so I want to thank Patrick Heim of DropBox and Jonathan Trull of Optiv for joining us today on Dark Reading Radio. Your insight was thought-provoking and really interesting. Thanks, too, to our audience today. This episode--as others--will be archived here on the site. Thanks, everyone!

Just wanted to say thanks for the opportunity, and I would encourage anyone interested to connect with me on Linkedin.  Love to continue the discussion.

Apprentice

@Kelly Depends on the organization but generally everyone seems to "get it" that infosec must be prioritized

Apprentice

Is it easier today than, say, five years ago, to get your budget where you want it?

@Jonathan I'm guessing that's a common theme among security purchases gone bad!

I'm very committed to training and would encourage others to help.  A few things I do - mentor new and aspiring staff, develop custom training in-house and sometimes share for others - https://www.blackhat.com/us-16/training/coding-for-security-pros-black-hat-edition.html, require product vendors to include free training for my staff, bring in ISACA/ISSA staff to train team on specific topics, and include training in my staff's performance plan to ensure they get rewarded for doing training.  I believe soft skills training is also critical.

Apprentice

War story - I supported the implementation of an open source IDS product (many moons ago).  I had a talented engineer who was very comfortable with open source.  We implemented but because the organization wasn't set up to manage open source and eventually that engineer moved on, we had to rip and replace the investment.  Moral: be conscious about sustaining your security investments and the constraints of the organization. 

Apprentice

I'm not putting them on the spot, I promise! It was one of our talking points for the show. =)

War story.  I once purchased an endpoint solution that solved a very real threat but did not fully vet out the hidden costs and business impacts of the technology.  It was way more work than I anticipated and probably not the right technology for the staff I had.  The deployment was a nightmare and the business resisted.  Never again!

Apprentice

Marylin - on the questions of execs "doing their part" or being invested in security, I can't generalize.  I do see a fair amount of frustration from security pros that work in organizations where they claim "the leadership doesn't get it".  Given the market for security talent, they tend to leave because they don't feel well supported / have an impossible mission.  

To build a strong security team, the executive team does need to be invested and set the tone that security is critical to the business and everyone's job.  The actual level of knowledge they have about security matters is secondary to setting the right tone for the organization that leads to all employees aligning around doin their part.

At Dropbox, we have a set of company values.  "Be worthy of trust" is the #1 value and is the tone set fro the top and radiated through the organization.

Apprentice

(Good, tough question Kelly!)

Author

@Marilyn  The conversations are definitely getting easier.  I don't really find that I need to spend time convincing executives that security must be a priority.  Most time is spent explaining what our current threats and problems are and working through the options for fixing them or lowering our risk to acceptable levels.  Executives are most concerned about the impact to the businesses.  So you must be prepared to address those fears.

Apprentice

Thanks gents! Of course, I'm guessing that every infosec practitioner would say "I don't have time for training."

Author

@Patrick, are you then called upon to show management the potential costs and benefits of specific scenarios?  For example, if the company is going to start a new line of business, do they consult you on the potential risks and security costs before going ahead with it?

Strategist

@Patrick  Really interesting point about compliance and security being "different domains.  You can't fail in one because you took resources from another." I wonder how many organizations actually treat them that way...

Author

Jonathan and Patrick, would you each share a lesson learned/war story on a budget decision you made at one time that you wish you hadn't? 

@Sarah  Great point.  We must commit ourselves and budgets to training our existing staff.  Agree 100%

Apprentice

Is it getting easier to have these conversations? Cybersecurity is pretty much a dinner-table conversation these days..

Strategist

@Marilyn I think they're trying.  However, they're also trying to run a profitable business which consumes the majority of their time, and rightly so in my opinion.  I spend at least 30 minutes one-on-one with all of my executives and board members to help them understand the threat landscape and how they can help me protect the company.  I've been fortunate to have executives that are very concerned and committed to security and have to make tough decisions about running the company, investing in new businesses, etc., etc.

Apprentice

Marilyn - The C-Suite should be aware of the risk tradeoffs given the budget constraints.  If communicated right and if you have engagement from them, they should be led into reflecting on whether the residual risks (not being worked on) are within the constraints of the budget are aligned with the company's risk tolerance or not.

Apprentice

...Marilyn's question goes to the "language" point by Patrick for security execs. Shouldn't it go both ways?

And should they have to?

Strategist

I hear so often that security management has to be able to understand -- and make -- the business case. But you'd think in today's environment executive management should make an effort to understand the threat landscape. Do you think many execs are doing their part?

Strategist

@Patrick - Great point and something I missed.  I am spending significantly more money on data protection (digital rights management) and identity (account + device location time/day of access) due to the nature of today's corporate perimeter.

Apprentice

Sara - your question on training is on-point.  More and more, I see that it is possible to create a pipeline of security pros by taking skilled developers and training them in security.  This isn't a simple tactical training opportunity, it's looking at your workforce plan and planning ahead.  Development skill sets are essential as a foundation for technical security teams.

Apprentice

I'm also curious whether it's harder to get budget for technology or new staff. My experience lately is that companies are willing to buy capital *stuff,* but much more reluctant to add headcount. What are you guys experiencing?

Strategist

Executives are great at quickly identifying problems and assigning someone to solve it and then tracking performance.  To make a solid business case, you must prove to senior management that you have a problem that needs to be solved in the language they can understand.  If you can't do that, you won't get the funding.  It's also important that you sell the solution to the executives.  I wrote this blog - https://www.linkedin.com/pulse/author/analytics?trk=hp-identity-wvmposts describing why it's so important to know how to sell.  Check it out

 

Apprentice

On compliance - another piece of advice would be to explicitly communicate to leadership that compliance and security shouldn't be a zero sum game.  They are different domains.  You can't fail in one because you took resources from another.

Apprentice

...@JonathanTrull  my point simply being that even though we can sympathize with your employees, it does seem like you're right -- it's past time to move on.

Author

@JonathanTrull  Thanks! I'm sure that everyone in security can understand their viewpoint...even if it is outdated now. Years ago, I wondered how you could prove compliance when you didn't have physical access to your servers, but that hasn't seemed to be a problem. 

Author

Kelly - There has been much written about how the concept of a "perimeter" in the traditional physical / network sense is somewhat of an anachronism.  I would define perimeter both as the endpoints you control as well as your data.  I have a renewed interest in Enterprise Rights Management technolog primarily because it allows me to shift the perimter down to the data.

Apprentice

Or how reasonable/unreasonable is the conversation!

Strategist

Here's Marilyn's question:

How much input does the C-suite have into the budget priority process? Do you have to sell your priorities upward, or are they dictated to you from above? What is the tension in that relationship?
Marilyn Cohodas

Good question Marilyn! I'm curious too... how persnickety do they get?

Author

Patrick and Jonathan: One thing I ran out of time during the show to ask: 

What's the best way to make the business case to management for getting more budget and more staff?

 

 

The "dismay of many of my staff" came down to the fact that many security people simply refuse to adopt or consider using cloud technologies.  If the data is outside my perimeter, I don't trust it.  Then again, in today's world, what is your perimeter?

Apprentice

How much input does the C-suite have into the budget priority process? Do you have to sell your priorities upward, or are they dictated to you from above? What is the tension in that relationship?

Strategist

ooooOOOOooooo "much to the dismay of many of my staff over the years."  Definitely want to hear more about that.

Author

This compliance conversation is fascinating, because not too long ago it seemed the ONLY way you could get a sizeable security budget from your board room was to talk about all those scary auditors. Now it seems like it's shifted... the auditors aren't the scary ones anymore, not even to the board room.

Author

Could we maximize our budgets if we invested more in training the people we've got? Turning them into those talented security pros we're so desperate to find? Or is part of the problem that the best training just doesn't exist? 

Author

Great topic today -- we recently polled IT execs and hardly any of them feel they have enough security budget. The trick is making the most out of what you've got.

Strategist

Hello all! Looking forward to this... even though I love/hate budgets.

Author

Good line up of guest, Kelly!

Strategist

It's all about money...everyone's favorite topic.

I'm looking forward to our show today!

Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.