Parlaying off my previous article about
getting the biggest bang for your security buck for small IT security shops, I
thought it would be a good opportunity to write about how larger IT security
teams can be more effective with their larger budgets. Larger IT security
departments often spend on solutions that they don’t really need or don’t
address a business risk (and end up being a waste of money). It is certainly
not unheard of for multiple security solutions to be thrown into the
enterprise network infrastructure haphazardly and create security gaps instead of reducing risk.

In order to be more efficient with your
hard-earned budget dollars, your enterprise information security team needs to
evolve from focusing primarily on operational security controls to more of a
business-centric endeavour encompassing activities such as risk assessments,
asset valuation, IT supply chain integrity, and process optimization. Several
months ago, security vendor RSA released a report outlining how to transform IT security. The report, in describing how next-gen security teams should
function, serves well as a guiding document for how to reposition your budget

IT security team responsibilities

According to the report, the core
information security team should be responsible for governing and coordinating
the overall IT security effort and performing tasks requiring specialized security
knowledge. The areas of that IT security should focus on should be: Redefining
and strengthening IT security’s core competencies (control design and
assurance); delegate routine operations (allocate repeatable, well-established
security processes); and to establish information risk consultancy (partner with the
business in managing information risks and coordinate consistent enterprise
risk management approach). By following such an approach, this ensures that
security investments are effective and efficient in delivering sustainable
information security that supports the business goals (translation: you aren’t
wasting money.)

According to RSA, the vast majority of enterprise
security controls today are implemented for preventative purposes. RSA
estimates that most organizations spend approximately 80 percent of their security
budgets on preventative measures, with monitoring (detective) and remediation
(response) forming the remaining 20 percent. 

Put resources where they matter

Most organizations have spent the past
two decades focusing solely on firewall, anti-virus, encryption, and
authentication measures to deliver an acceptable level of security, without sustained
success. Preventive approaches alone do not inhibit the modern sophisticated,
well-funded, persistent, and focused attackers. We are wasting budgets by
continually pouring more and more resources into purely preventive controls. Organizations need to change their overall
defensive approach given the security realities of today by increasing the
funding and implementation of detection and response controls.

You should be spending on initiatives that
best address resiliency and provide a balanced stable of preventative,
detective, and responsive controls. In most organizations, security investments,
covering people, processes, and technology, are out of balance. The best thing you can do for your security budget is to get those
areas harmonized.