10 Steps for Stretching Your IT Security Budget
When the budget gods decline your request for an increase, here are 10 ways to stretch that dollar.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt4acd8e2ec2fda112/64f0d7930aaa4610f2c8f7ac/01-Page-One.jpg?width=700&auto=webp&quality=80&disable=upscale)
A whopping 1.9 billion data records were breached during the first half of the year, marking a 164% jump from the same time a year ago. But despite the never-ending rise in attacks and breaches, only 35% of IT professionals expect their organizations to increase security spending in the next 12 months, according to recent surveys.
In other words, IT security budget increases clearly are not keeping up with the rate of breaches and attacks. But despite this shortfall, IT security leaders may have more tools and tricks at their disposal to stretch their budgets than they realize. For example, ever think of joining one of the local security groups on Meetup.com to vet potential hires, rather than plunking down money for a recruiting firm? Or using free tools such as network scanner Nmap, or free apps from IT social media community Spiceworks?
Here are 10 top tips to stretch IT security budgets.
In order to avoid wasting precious time getting your firewalls, IDS/IPS, antivirus, SIEM, packet-capture, forensic imaging, and vulnerability scanner tools to all interact with one another, it's better to create an interconnected security stack from the onset, advises Roselle Safran, former SOC chief at the White House and president of Rosint Labs.
The IT security industry has made substantial improvement in automating various tasks and processes in the last two to three years, but more can be done, Safran says.
Automation should be viewed as a way to get more bang for your buck out of your existing IT security teams, rather than a means to save money by reducing staff.
"I would not advise using automation as a way to reduce the number of analysts. Instead, it will free up their time to do other things and make a stronger team," she says.
Training costs can easily run $4,000 per employee for an outside training course to learn new security skills, Safran says, but there are less expensive options, too.
"There is plenty that can be done internally," she says. "You can create a whole curriculum based on free information. You don't have to pay for training to have a more effective team."
Free information to develop curriculum can be collected from such places as SANS' Reading Room white papers, Dark Reading's Tech Library white papers, and InfoSec Institute's Free CISSP Training & Study Guide.
"You need to tailor the training to your environment. If you are a small company, you may not be doing forensics, so you wouldn't need to train on that," she advises.
Free training workshops are often held at various Meetup.com IT security groups around the nation.
For example, a search on Meetup.com for cybersecurity and Washington, D.C., brings up various IT security groups.
A number of these meetup.com groups hold training workshops that last anywhere from a couple hours in the evening to a day or weekend. The workshops are usually free, or just a few hundred dollars for an advanced or certification prep course.
Earlier this month, White Hat Academy held a free workshop on how to write secure code, which lasted a couple hours in the evening and had more than 150 attendees, says Fletcher Heisler, founder and organizer of the White Hat Academy meetup group.
The D.C. Cyber Security Professionals meetup group earlier this month held its first CompTIA Security+ exam prep workshop and charged $199 at the door, for example.
A cost-effective method to vet prospective IT security job candidates may be found by attending or sponsoring a capture the flag (CTF) event, versus hiring a recruiting firm.
Sponsoring a free CTF event held by a meetup group usually provides employers a chance to announce available job openings, as well as describe the work environment at the organization, says Heisler, whose meetup group has held such events. And for most meetup groups, sponsorship ranges from providing office space for the event to refreshments and prizes.
"The CTFs are usually an all-day event and there is plenty of time during the event for people to wander around, so employers will have time to talk to the players and interact with them. Some sponsors will even let people know they can bring their resume to the event," says Heisler.
He adds the real benefit of a CTF is the recruiting channel it provides. "You may have someone there who doesn't have great metrics that you would normally need to fill the job like experience or education, but these attendees could be self-taught and can solve challenges at the CTF with the types of tools they would be using at your company," says Heisler, who is also the founder of the White Hat Academy, a training organization that is developing interactive online labs to teach modern Web application security and penetration testing.
For CISOs who want to run their own CTF event, open-source frameworks exist that allow users to create a CTF log-in in system to a scoring system, he notes.
An IT security internship program is also another way to vet prospective hires and potentially expand a temporary workforce at a lower cost. Internships are often paid positions, often at a rate closer to minimum wage, says Ron Woerner, an information security advisor at Bellevue University in Nebraska.
"Most companies feel internships are summer-only, but we need to develop the students like the trades and have them in a year-round mentorship or apprenticeship year round," he says.
IT security leaders who currently do not have an internship program can create one, and may want to first reach out to their human resources department for assistance, Woerner advises. The internship should be treated like a project management program, where goals and metrics are established of what is to be accomplished, he adds.
Once a program is created, visit local universities and colleges as well as community colleges, to get references from computer science department professors on the best prospective interns.
"The student they pick should not need a lot of time to train on the technical skills, and often the professors know who these students are," Woerner says. "However, you will need to do some training, so companies that say they don't have time to train need to realize they can pay now, or pay later."
"Security isn't what you buy or download, it's how you think and respond," Woerner says. "I see companies time and time again make purchases without understanding what crown jewels they are trying to protect and what problem they are trying to solve. Once you know these things, then you know the tools you need to get."
Free tools may be available for some of these problems, Woerner says, recommending:
- Center for Internet Security, offers a number of various free tools
- SecTools.org, offers a number of various free tools
"The number one security tool is Google, because you can find out so much information," he notes.
"One of the best ways to save money is to take advantage of what you already have," says Woerner. "Operating systems and Web browsers have many security capabilities that many don't use."
In order to uncover potential hidden jewels, check your Active Directory Users and Computers link. The next step is to use the free network-mapping tool Nmap to determine the open ports and services running on them, Woerner says.
"Knowing what you have and the threats associated with those is the first step," Woerner says, adding that the accounting department may be able to assist in providing a list of all the physical assets that can be cross-referenced with an Excel spreadsheet with Active Directory and Nmap data. Other tools include OpenAudIT, PDQ Inventory, Applocker, and Netwrix, he adds.
With the information, create a network diagram with Nmap and Microsoft Visio to lay out the network architecture, interconnected components, and service provided by network devices, Woerner says.
"Once you have the list of the systems, have a quick brainstorming session to determine what is the most important and what is the most important to keep the business running," he says. "It's easy to buy into the hype, 'I need something new to solve my problems.' Often the answer is right in front of you."
IT security budgets can be extended by maximizing employees' productivity, says Daniel Basile, executive director of Texas A&M University System's security operations center.
"The goal is to make sure your staff has all the capabilities to act quickly and react appropriately," says Basile, who will discuss maximizing worker productivity at the upcoming Dark Reading INsecurity Conference.
The first step calls for developing a formal playbook that outlines all the actions that are required in a given situation.
"This shrinks the training time since it is all written down in the playbook and everyone, including entry level workers, know what to do for the next step," Basile says.
The second step calls for automating as many of the processes as possible. With the playbook, it will be easier to determine which processes can be handled with free or inexpensive tools and resources, such as checking blacklisted sites, he says.
Highly-skilled security analysts, as a result, can be redeployed to handle situations when events don't match the playbook and can be escalated.
"It's a layered approach, so analysts are not wasting their time," he says.
An obvious way to maximize productivity and cut costs is to use outsourcing.
Companies can supplement their workforce and redeploy their highly-skilled technical IT security professionals to other work if some of their burden is removed by outsourcing that work, says Harpreet Sidhu, managing director, global managed security services lead for Accenture, who will address outsourcing strategies at Dark Reading's upcoming INsecurity conference.
"It's important for companies to understand what their priorities are for using a service provider and what their key drivers are. Is it price, scale, or gaining an industry depth of knowledge," says Sidhu, adding that with this understanding it will help them select an outsourcing partners that can offer predictability in costs, be accountable, provide high quality of service, and drive innovation.
Companies can typically save between 30% to 40% when they outsource their identity and access management, or SOC services, to an outsourcing firm to supply, run and manage the entire operation, estimates Sidhu.
An obvious way to maximize productivity and cut costs is to use outsourcing.
Companies can supplement their workforce and redeploy their highly-skilled technical IT security professionals to other work if some of their burden is removed by outsourcing that work, says Harpreet Sidhu, managing director, global managed security services lead for Accenture, who will address outsourcing strategies at Dark Reading's upcoming INsecurity conference.
"It's important for companies to understand what their priorities are for using a service provider and what their key drivers are. Is it price, scale, or gaining an industry depth of knowledge," says Sidhu, adding that with this understanding it will help them select an outsourcing partners that can offer predictability in costs, be accountable, provide high quality of service, and drive innovation.
Companies can typically save between 30% to 40% when they outsource their identity and access management, or SOC services, to an outsourcing firm to supply, run and manage the entire operation, estimates Sidhu.
A whopping 1.9 billion data records were breached during the first half of the year, marking a 164% jump from the same time a year ago. But despite the never-ending rise in attacks and breaches, only 35% of IT professionals expect their organizations to increase security spending in the next 12 months, according to recent surveys.
In other words, IT security budget increases clearly are not keeping up with the rate of breaches and attacks. But despite this shortfall, IT security leaders may have more tools and tricks at their disposal to stretch their budgets than they realize. For example, ever think of joining one of the local security groups on Meetup.com to vet potential hires, rather than plunking down money for a recruiting firm? Or using free tools such as network scanner Nmap, or free apps from IT social media community Spiceworks?
Here are 10 top tips to stretch IT security budgets.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024