Parlaying off my previous article about getting the biggest bang for your security buck for small IT security shops, I thought it would be a good opportunity to write about how larger IT security teams can be more effective with their larger budgets. Larger IT security departments often spend on solutions that they don't really need or don't address a business risk (and end up being a waste of money). It is certainly not unheard of for multiple security solutions to be thrown into the enterprise network infrastructure haphazardly and create security gaps instead of reducing risk.
In order to be more efficient with your
hard-earned budget dollars, your enterprise information security team needs to
evolve from focusing primarily on operational security controls to more of a
business-centric endeavour encompassing activities such as risk assessments,
asset valuation, IT supply chain integrity, and process optimization. Several
months ago, security vendor RSA released a report outlining how to transform IT security. The report, in describing how next-gen security teams should
function, serves well as a guiding document for how to reposition your budget
IT security team responsibilities
According to the report, the core information security team should be responsible for governing and coordinating the overall IT security effort and performing tasks requiring specialized security knowledge. The areas of that IT security should focus on should be: Redefining and strengthening IT security's core competencies (control design and assurance); delegate routine operations (allocate repeatable, well-established security processes); and to establish information risk consultancy (partner with the business in managing information risks and coordinate consistent enterprise risk management approach). By following such an approach, this ensures that security investments are effective and efficient in delivering sustainable information security that supports the business goals (translation: you aren't wasting money.)
According to RSA, the vast majority of enterprise security controls today are implemented for preventative purposes. RSA estimates that most organizations spend approximately 80 percent of their security budgets on preventative measures, with monitoring (detective) and remediation (response) forming the remaining 20 percent.
Put resources where they matter
Most organizations have spent the past two decades focusing solely on firewall, anti-virus, encryption, and authentication measures to deliver an acceptable level of security, without sustained success. Preventive approaches alone do not inhibit the modern sophisticated, well-funded, persistent, and focused attackers. We are wasting budgets by continually pouring more and more resources into purely preventive controls. Organizations need to change their overall defensive approach given the security realities of today by increasing the funding and implementation of detection and response controls.
You should be spending on initiatives that best address resiliency and provide a balanced stable of preventative, detective, and responsive controls. In most organizations, security investments, covering people, processes, and technology, are out of balance. The best thing you can do for your security budget is to get those areas harmonized.
Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.