Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Dark Reading Radio

Getting the Most Out of Your IT Security Budget
Date / Time: Wednesday, May 18, 2016, 1:00 p.m. New York/10:00 a.m. San Francisco
Overview:
The more security products and technologies you buy doesnt necessarily make your organization more secure. Investing in the right tools and talent to oversee and operate the security architecture is key. In this episode of Dark Reading Radio, Patrick Heim, head of trust & security for DropBox and former CISO at Kaiser Permanente, and Jonathan Trull, VP and CISO of Optiv, and former CISO of the State of Colorado, will share their experience and insight into how organizations can get the best bang for their security buck for a stronger security posture. Join Executive Editor Kelly Jackson Higgins and the entire Dark Reading team in this timely discussion.


The audio player will load automatically when the radio show audio begins. Some corporate networks block the sort of streaming audio content used by this player. Please make sure you have the latest version of Adobe Flash for your Internet browser via Adobe's web site. If the player loads but you are not able to hear the live audio, you may still be able to hear the archived audio after the live program begins by returning to this page. Please try refreshing your browser a few times if you still cannot hear the audio. More Troubleshooting
Live Chat
You must login to participate in this chat. Please login.

We're at the top of the hour, so I want to thank Patrick Heim of DropBox and Jonathan Trull of Optiv for joining us today on Dark Reading Radio. Your insight was thought-provoking and really interesting. Thanks, too, to our audience today. This episode--as others--will be archived here on the site. Thanks, everyone!

Just wanted to say thanks for the opportunity, and I would encourage anyone interested to connect with me on Linkedin.  Love to continue the discussion.

Apprentice

@Kelly Depends on the organization but generally everyone seems to "get it" that infosec must be prioritized

Apprentice

Is it easier today than, say, five years ago, to get your budget where you want it?

@Jonathan I'm guessing that's a common theme among security purchases gone bad!

I'm very committed to training and would encourage others to help.  A few things I do - mentor new and aspiring staff, develop custom training in-house and sometimes share for others - https://www.blackhat.com/us-16/training/coding-for-security-pros-black-hat-edition.html, require product vendors to include free training for my staff, bring in ISACA/ISSA staff to train team on specific topics, and include training in my staff's performance plan to ensure they get rewarded for doing training.  I believe soft skills training is also critical.

Apprentice

War story - I supported the implementation of an open source IDS product (many moons ago).  I had a talented engineer who was very comfortable with open source.  We implemented but because the organization wasn't set up to manage open source and eventually that engineer moved on, we had to rip and replace the investment.  Moral: be conscious about sustaining your security investments and the constraints of the organization. 

Apprentice

I'm not putting them on the spot, I promise! It was one of our talking points for the show. =)

War story.  I once purchased an endpoint solution that solved a very real threat but did not fully vet out the hidden costs and business impacts of the technology.  It was way more work than I anticipated and probably not the right technology for the staff I had.  The deployment was a nightmare and the business resisted.  Never again!

Apprentice

Marylin - on the questions of execs "doing their part" or being invested in security, I can't generalize.  I do see a fair amount of frustration from security pros that work in organizations where they claim "the leadership doesn't get it".  Given the market for security talent, they tend to leave because they don't feel well supported / have an impossible mission.  

To build a strong security team, the executive team does need to be invested and set the tone that security is critical to the business and everyone's job.  The actual level of knowledge they have about security matters is secondary to setting the right tone for the organization that leads to all employees aligning around doin their part.

At Dropbox, we have a set of company values.  "Be worthy of trust" is the #1 value and is the tone set fro the top and radiated through the organization.

Apprentice

@Marilyn  The conversations are definitely getting easier.  I don't really find that I need to spend time convincing executives that security must be a priority.  Most time is spent explaining what our current threats and problems are and working through the options for fixing them or lowering our risk to acceptable levels.  Executives are most concerned about the impact to the businesses.  So you must be prepared to address those fears.

Apprentice

Thanks gents! Of course, I'm guessing that every infosec practitioner would say "I don't have time for training."

Author

@Patrick, are you then called upon to show management the potential costs and benefits of specific scenarios?  For example, if the company is going to start a new line of business, do they consult you on the potential risks and security costs before going ahead with it?

Strategist

@Patrick  Really interesting point about compliance and security being "different domains.  You can't fail in one because you took resources from another." I wonder how many organizations actually treat them that way...

Author

Jonathan and Patrick, would you each share a lesson learned/war story on a budget decision you made at one time that you wish you hadn't? 

@Sarah  Great point.  We must commit ourselves and budgets to training our existing staff.  Agree 100%

Apprentice

Is it getting easier to have these conversations? Cybersecurity is pretty much a dinner-table conversation these days..

Strategist

@Marilyn I think they're trying.  However, they're also trying to run a profitable business which consumes the majority of their time, and rightly so in my opinion.  I spend at least 30 minutes one-on-one with all of my executives and board members to help them understand the threat landscape and how they can help me protect the company.  I've been fortunate to have executives that are very concerned and committed to security and have to make tough decisions about running the company, investing in new businesses, etc., etc.

Apprentice

Marilyn - The C-Suite should be aware of the risk tradeoffs given the budget constraints.  If communicated right and if you have engagement from them, they should be led into reflecting on whether the residual risks (not being worked on) are within the constraints of the budget are aligned with the company's risk tolerance or not.

Apprentice

...Marilyn's question goes to the "language" point by Patrick for security execs. Shouldn't it go both ways?

I hear so often that security management has to be able to understand -- and make -- the business case. But you'd think in today's environment executive management should make an effort to understand the threat landscape. Do you think many execs are doing their part?

Strategist

@Patrick - Great point and something I missed.  I am spending significantly more money on data protection (digital rights management) and identity (account + device location time/day of access) due to the nature of today's corporate perimeter.

Apprentice

Sara - your question on training is on-point.  More and more, I see that it is possible to create a pipeline of security pros by taking skilled developers and training them in security.  This isn't a simple tactical training opportunity, it's looking at your workforce plan and planning ahead.  Development skill sets are essential as a foundation for technical security teams.

Apprentice

I'm also curious whether it's harder to get budget for technology or new staff. My experience lately is that companies are willing to buy capital *stuff,* but much more reluctant to add headcount. What are you guys experiencing?

Strategist

Executives are great at quickly identifying problems and assigning someone to solve it and then tracking performance.  To make a solid business case, you must prove to senior management that you have a problem that needs to be solved in the language they can understand.  If you can't do that, you won't get the funding.  It's also important that you sell the solution to the executives.  I wrote this blog - https://www.linkedin.com/pulse/author/analytics?trk=hp-identity-wvmposts describing why it's so important to know how to sell.  Check it out

 

Apprentice

On compliance - another piece of advice would be to explicitly communicate to leadership that compliance and security shouldn't be a zero sum game.  They are different domains.  You can't fail in one because you took resources from another.

Apprentice

[email protected]  my point simply being that even though we can sympathize with your employees, it does seem like you're right -- it's past time to move on.

Author

@JonathanTrull  Thanks! I'm sure that everyone in security can understand their viewpoint...even if it is outdated now. Years ago, I wondered how you could prove compliance when you didn't have physical access to your servers, but that hasn't seemed to be a problem. 

Author

Kelly - There has been much written about how the concept of a "perimeter" in the traditional physical / network sense is somewhat of an anachronism.  I would define perimeter both as the endpoints you control as well as your data.  I have a renewed interest in Enterprise Rights Management technolog primarily because it allows me to shift the perimter down to the data.

Apprentice

Or how reasonable/unreasonable is the conversation!

Strategist

Here's Marilyn's question:

How much input does the C-suite have into the budget priority process? Do you have to sell your priorities upward, or are they dictated to you from above? What is the tension in that relationship?
Marilyn Cohodas

Good question Marilyn! I'm curious too... how persnickety do they get?

Author

Patrick and Jonathan: One thing I ran out of time during the show to ask: 

What's the best way to make the business case to management for getting more budget and more staff?

 

 

The "dismay of many of my staff" came down to the fact that many security people simply refuse to adopt or consider using cloud technologies.  If the data is outside my perimeter, I don't trust it.  Then again, in today's world, what is your perimeter?

Apprentice

How much input does the C-suite have into the budget priority process? Do you have to sell your priorities upward, or are they dictated to you from above? What is the tension in that relationship?

Strategist

ooooOOOOooooo "much to the dismay of many of my staff over the years."  Definitely want to hear more about that.

Author

This compliance conversation is fascinating, because not too long ago it seemed the ONLY way you could get a sizeable security budget from your board room was to talk about all those scary auditors. Now it seems like it's shifted... the auditors aren't the scary ones anymore, not even to the board room.

Author

Could we maximize our budgets if we invested more in training the people we've got? Turning them into those talented security pros we're so desperate to find? Or is part of the problem that the best training just doesn't exist? 

Author

Great topic today -- we recently polled IT execs and hardly any of them feel they have enough security budget. The trick is making the most out of what you've got.

Strategist

Hello all! Looking forward to this... even though I love/hate budgets.

Author
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2817
PUBLISHED: 2022-08-15
Use After Free in GitHub repository vim/vim prior to 9.0.0212.
CVE-2022-38357
PUBLISHED: 2022-08-15
Improper neutralization of special elements leaves the Eyes of Network Web application vulnerable to an iFrame injection attack, via the url parameter of /module/module_frame/index.php.
CVE-2022-38358
PUBLISHED: 2022-08-15
Improper neutralization of input during web page generation leaves the Eyes of Network web application vulnerable to cross-site scripting attacks at /module/admin_notifiers/rules.php and /module/report_event/indext.php via the parameters rule_notification, rule_name, and rule_name_old, and at /modul...
CVE-2022-38359
PUBLISHED: 2022-08-15
Cross-site request forgery attacks can be carried out against the Eyes of Network web application, due to an absence of adequate protections. An attacker can, for instance, delete the admin user by directing an authenticated user to the URL https://<target-address>/module/admin_user/index.php?...
CVE-2022-28756
PUBLISHED: 2022-08-15
The Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with version 5.7.3 and before 5.11.5 contains a vulnerability in the auto update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.