cancel
Showing results for 
Search instead for 
Did you mean: 

The Cost of InfoSec Stewardship

Level 12

"Five billion years and it still comes down to money." -- The Doctor

Hello Thwack, this is Gideon Tam again! I was one of the Thwack Ambassadors for the month of January, 2014. Back in January we had great discussions and comments on the topics of the Log & Event Management in the General Security & Compliance area. If you haven't seen those discussions, here are the links to them:

To Log Or Not To Log: That Is The Question

Don't Panic and Know Where Your Logs Are

So Good They Can't Ignore SIEM

Winning The Loser's Game of Information Security

In the last discussion, Winning The Loser's Game Of Information Security, we generally agreed that the information security would not be a losing battle at all, even though information security breaches made to the headline news all the time (you might receive an email from eBay for changing password last week). Endurance and persistence, my dear fellows.

Recently we planned to replace our current internet perimeter firewalls with the New Generation Firewalls. The price quote we got after a few negotiations still popped out our eyes. This made me think of:

Is it possible to lower the cost of the information security?

In January we talked about that SIEM didn’t come cheap. Remember S in SIEM is $?   We also discussed the defense in depth. All these come with a huge price tag. Yes, we can cut some corners when IT budget permits, but we can only cut that much. If we are able to reduce the costs of information security equipment, what about the costs of the storage to keep the data in order to be HIPAA or PCI compliance?

Thanks to Steve Jobs and Jeff Bezos, we now face new IT challenges: BYOD, public and private clouds, etc. All the sudden we need to implement security measures that we haven’t done before. Of course, vendors help us by providing their awesome solutions and in turn we help them with higher budget.

You may say that we can save by using the open source projects/softwares/applications. I have some open source applications in my environment. I’ve found that it takes quite a bit of manpower to start, implement, and maintain systems with the open source applications. My colleagues and I have been thinking to replace those systems with vendor solutions. And open source is open source. For example, remember Snort -> Sourcefire -> Cisco?

To me, it’s very hard to drive the information security cost down. I, of course, will do my best to keep the expense as low as possible. But I’ll also provide information to the CIO to talk to the CEO and the CFO to request more funding. What do you think? If you don’t agree with me, it is perfectly fine; I want to hear from you and learn from you. Please drop some thoughts, comments, and feedbacks here.

54 Comments
MVP
MVP

Seems like the S in Security is also $$.

Opensource or not...they all take time to stand up and configure and then comes the fine tuning.

Some of the "best" SIEM tools takes quite a while to set up and a team to maintain.

BYOD brings in so many other threat vectors..it would drive me nuts so it is a good thing I am not involved in that end of things.

Level 12

Just like Jfrazier ... Secuity has its own $$ cost, maintenance and BYOD threats

Level 12

mfmahler it sure still boils down to money. Security does not come cheap as I believe you can testify to. Most IT personnel wants to ensure their network is as secure as possible.

Now many firms are moving to the cloud. Some still have the Hybrid mode, while others just run away from spending so much on server hardware and licenses.

What else is there but hope our jobs don't get taken over by the Cloud and the $$$ on security are just not sent to the cloud?

All-in-all, we are still needed in the system and who better to manage the Information than we the engineers.

Hope i have not diverted from the initial article?

Level 12

Jfrazier is right now we are doing alot of this now where i work trying to figure out if opensource is better or if we should do BYOD and its all serious money to maintain and if we want to bring in alot of new tools and have that learning time to figure everything out.

Level 9

personally, i am weary of open source.

It is a balancing act, you can chose to pay on the front end or the back end.

For example look at hiring the right people: 

You can save money by hiring less qualified Security people, but then you lose out on efficiency in the security solution and potential breaches.  We are fighting the battle now of the guy who came in cheap and his idea of securing the network is just to not give anyone access.   On the flip side, good cyber security people can almost name their price.  I recently was part of a discussion of a major FI who had 4 cyber-security positions open pushing the 6 figure range and it was a year before the Cyber Security Director got the first truly qualified application for the position.

Level 12

Jfrazier You are right. Security starts with $$.

When we deployed the web proxy system, it took us a couple of months to grant exceptions and to stabilize the environment. Don't ask me about the beginning of our IPS/IDS deployment.

I consider you are lucky one of not being involving the BYOD excitement.

Level 12

esther It looks like we are on the same page. Do you have some stories to share?

Level 12

jayson weiss Would you elaborate you thoughts on the open source, especially in information security?

Level 12

Well put, prowessa. No, you didn't divert from the article.

Cloud has become a very interesting IT area, especially for information security. Cisco's CEO John Chambers commented in 2009 that cloud computing "is a security nightmare and it can't be handled in traditional ways." Now in 2014 we are still evolving our security measures for the cloud (and please don't add virtualization in the cloud ). I guess our jobs are secured.

Level 12

Aaron Denning it's good to know that I am not alone . What you are experiencing happen to the IT folks in many organizations. See, Apple introduced enterprise support in iOS 8 this morning.

Level 12

bsciencefiction.tv Nice story. It's a balancing act because we are living in the budget constrains.

The story of your folk remind me that our existence in an organization is to support the business needs of the organization. Banks, hospitals, research institutes, for example, have different business needs. As someone put it, no one silver bullet can solve every security problem.

Level 12

Hmmh.. An important aspect of information security and risk management is recognizing the value of information and defining appropriate procedures and protection requirements for the information. Not all information is equal and so not all information requires the same degree of protection. Using the good security software and hardware appliance will save you money in the future and pirated security software used in order to minimize cost will still cost more $$$ or even your job...... sorry not a good story teller......

Level 10

We have one security person at our company. He is highly motivated and enjoys the game of keeping evil from entering into our network. We consider ourselves lucky to have this person here.

Level 10

To your point mfmahler can we cut costs of the Information Security. I think it is going to be a game of cat, and mouse. Where does your particular organization see value. Do they see value in paying the appropriate engineers the appropriate salaries? If so you may reduce your cost from a software perspective if you hire in someone with the needed toolset prebuilt, programming skills, or is very good/efficient with Open source software. If your organization sees more value in software that engineers salaries, then you are going to end out paying more usually unless you get lucky. Since you hire in a lower paid employee that is building up their skills, you are now paying to build that persons skills in time. Or your organization sees low paid employees, and does not have much of a budget for the software/hardware needed, then they are stuck in the "make it work" scenario.

I agree with bsciencefiction.tv. I think you hit the nail right on the head.

Level 12

Well put, esther! Beside good information security software and hardware ($$$$$), we also need good information security personnel ($$$).

Level 10

Security is unfortunately in the same boat that back ups are in. It's one of those things that is critical but the value is never really seen until its too late. If you don't have a good solution for either of them it you will end up paying for it through the nose and can potentially end a business. The thing that always bugs me is no matter how awesome the firewall you have is someone with physical access will circumvent it. That's one of the main reasons we have penetration testing being done about ever 6 months or so to train our users not to give out their passwords and not to hold doors open for people or click on links to stuff from strange external emails. Penetration testing is also good motivation for your upper management to realize they need to spend more money on security.

Level 9

On a lot of topics, people say you either pay on the front end or you pay on that back end.  I think this cliche does apply in this case.

Level 11

This will improving eventually..

Level 11

Do you mean wary or weary? 

I'm wary of open source software because it all boils down to trust.  Do I trust the developer not to introduce attack vectors into my network?  Do I trust the developer not to introduce security vulnerabilities and to patch identified vulnerabilities in a timely manner?  Do I trust that the software actually does what it claims, and doesn't require tons of hacked together scripts to function properly?

TBH though, I'm also weary of open source software.  Maybe not the software itself, but the harsh opinions that come with open source promoters.  Sometimes you get IT people who are so in love with open source that they want to put all their eggs in open source (and most often unsupported) baskets.  I think there is definitely a time and place for open source, but generally that place is not in the large enterprise.  Perhaps for non-profits or mom and pop shops, but not large enterprise. 

Level 9

It is definitely a balancing act. Having the right tools to meet the business requirements, whether it is security or not, goes a long way to the efficiency and productivity of your IT staff as a whole and most certainly, your
Security Team. It all boils down to money and asking the simple question "How much is your data worth? To a competitor? To another country?" tends to get the attention of the C-level. As a security professional, your responsibility is to the company and knowing the needs of its business units can help you develop a proper plan and secure appropriate budgets to circumvent any issues up front.... BEFORE IT IS TOO LATE!

I guess the best analogy might be the cart before the horse. If your horse (InfoSec) is well fed and well cared for it will take the cart as long and as far as you need to go. But if the horse isn't well cared for, the cart will be left on the side of the road vulnerable to any threat that comes along.

Get your InfoSec right from the start!!!! It may cost you on the front end but it can save (your butt) on the back end! bsciencefiction.tv mfmahler

MVP
MVP

You can lower costs by being selective in your monitoring. It's a cost-benefit exercise. But it requires that you thoroughly understand the risks involved before making a decision. Your CFO might recoil at the cost of security, but your CIO will understand to cost of insufficient security.

Level 12

We have more and more products and applications (for security or not) built based on the Open Source projects. The recent Heartbleed OpenSSL vulnerability had big impact even to security products and applications.

Level 12

Webbster I'm glad that you have a good security person to work with. Treasure that person.

Level 12

Good points.

I see that with any of those different routes an organization to take the total would not be small.

Level 12

belthasarx You are right on spot with the backups analogy.

Self-assessment and training better users are critical. Your organization is pretty solid in those areas.

You mentioned that the pen testing would be a good motivation to persuade the upper management to spend $$$ on security. Would you share one or two of your stories?

Level 12

Hari Pala Would you share a little more of your thoughts?

Level 12

dwoj Do you agree that no matter spending on the front end or on the back end it won't be cheap?

Level 12

Well said, mbwalker.

It all boils down to money and asking the simple question "How much is your data worth? To a competitor? To another country?" tends to get the attention of the C-level.

Get your InfoSec right from the start!!!! It may cost you on the front end but it can save (your ****) on the back end!

I think we are on the same page.

Level 12

michael stump And hopefully the fact of cost of insufficient security surfaces before the company makes a headline news due to security breach. Dr Who was always right.

Level 9

matt.matheus, I apologize that it took me so long to reply. mfmahler, I apologize for not elaborating.

I guess I meant wary and for the same reasons stated above. My biggest issue is with trust. I also find that open source can be more time consuming to support. I agree completely that there is a time and place for open source but not in an enterprise environment. Well said, Matt!

MVP
MVP

Security has always been a money pit in the IT industry. Not only for the cost of the tools, but the employee cost also. It does not seem that any cost is being reduced over the past few years, in fact as more and more companies are becoming aware of security the cost keeps rising and rising. As long as you have individuals out there designing new ways to breach security, your cost in that realm will always increase in order to provide the tools and personnel.

Level 11

Security absolutely cost money.. but it cost a lot of money to not have it too.  One think I have seen a lot lately is a transition of charging out IT services.  It seems at some point we may have to find ways of transitioning the burden of IT costs including security to "money making" costs centers so that IT doesnt look like the sink hole that it currently does to those wearing non IT suits. 

Jim

Level 13

One great way to reduce security costs is by implementing solutions that can be used for multiple purposes, and doing that first. Examples:

1) Log collectors and analyzers can be used by both security and operations personnel, if you use tools that don't lock you into a ops-specific or security-specific workflow.

2) NetFlow analyzers can be used by operations, security, networking, and helpdesk -- if they provide sufficient granularity, flexibility, and detail.

Compare this with firewalls; firewalls are basically routers that are broken by design: they don't forward all packets. They can usually be pressed into service as packet capture probes if necessary, but they're not that good at it.

Thus, if I had a limited pool of capital funds, I'd much rather have a really good logging tool, a really good flow analyzer, and a basic firewall than a NGFW that blows the whole budget.

Of course, this assumes that an organization can function with cooperation across silo boundaries, which may be pure fantasy for many corporations.

Build visibility first. In my opinion, you can't buy commercial products for any amount of money that rival OSS tools in the visibility realm.

Level 12

jayson weiss, apology accepted.

We see open source everywhere, including enterprises. Does it save enterprise's money? Not really, if you add all costs, including manpower, together.

Level 12

Kurt H, absolutely and agreed!

Level 12

Usually it's hard to see the "cost saving" of the proper information security implementation, until too late. Think about the cost of credit report offerings of millions of your customers.

Level 12

jswan, good idea! Get security tools with multi-purpose and set up role-based access control. Even hopefully the costs can be shared by multiple departments.

Yup, visibility and control. I hope no one, even for small businesses, would think that firewall alone is enough to protect the company.

Level 13

Not to mention the constant care and feeding.  I've seen too many IDS/IPS deployments where the customer made the assumption that it is a set-and-forget product.

Level 10

Sorry I've been swamped the past couple days. Well essentially the story was that we had a 3rd party that was doing security audits on the company but they didn't do any sort of penetration testing or any kind of testing for that matter. They would come in and ask the various departments what did they do and record the responses and compare them against what our policy stated that they should be doing. If it matched up, they passed. That was all they did, they didn't actually verify what was being said. Our group kept bringing up issues that we saw where policies were not being followed and upper management finally agreed to have another vendor do penetration testing to actually verify what we were stating were issues. They nailed us on ever single thing they could find and we were able to add more people to our security team. It went from 1 person to 6 and we were able to purchase hardware like an Alienvault server and start using better internal monitoring of system changes being made with some other security software that wasn't in the budge before.

Level 12

wbrown You are absolutely correct. IDS/IPS systems need fine-tuning. There is no one-fits-all set of rules. Every organization needs its own deployment for its particular environment. Even in the same organization, the web DMZ and internal user segments should have different IDS/IPS rules/policies.

Level 12

belthasarx No problem. Today has been crazy since the morning for me, too.

Thank you for sharing your encouraging story! It's awesome that your upper management realized the importance of the security and expanded the security team.

Level 21

I just look at it all as decisions each with some form of cost associated with it.  If my Exec's/VP's say they want me (and my team) to provide some level of functionality, it's just another technical challenge for me.  I let them know what the cost will be and then they need to decide if it's more expensive to have the new functionality or to not have the new functionality; security and open source tools are that same balance.

The trick is being able to see (or in some cases show) the costs of NOT having something.

Level 12

byrona We can show our executives how much it costed Target (I'm sure that Target was well protected, but still...) :

Target said it can't yet estimate how much the data breach will cost it in total. But in the fourth quarter, it said the breach resulted in $17 million of net expenses, with $61 million of total expenses partially offset by the recognition of a $44 million insurance receivable.

Level 12

Per my experiences,security cost (spending) depends on nature of the employer!  I have seen where data intigrity and security have highest proirity, the CIO, CEO and CFO agreed on spending with any cost or they may lose more than trying to save

Level 8

I agree that BYOD and retention of data are two huge issues affecting information security. I am all for open source and DIY solutions, but they require such a high level of commitment compared to hiring someone to do it for you. As our economy continues its trend towards being more information-based, the amount of resources we need to throw at this will steadily increase. Thank you for the post.

Level 12

ZibaK Certainly more and more employers, big and small, have realized the importance and absolute necessity of the information security. In those organizations where data integrity and security are in highest priority, infosec folks are easier to come up with the requested budget.

Level 12

matthew.andress Actually, thank you for sharing your thoughts here.

Our fundamental concept of information security remains pretty much the same in the past 10 years (stop the bad guys from outside and from within). But, boy, the infosec landscape has been changed so tremendously in the same period. You are right, the amount of resources we need for infosec will increase, and may be in a increasing pace.

Level 14

Late to the conversation, but I thought part of the benefit of open source is that a developer can't introduce security vulnerabilities (willingly or otherwise) because the code is reviewed by the group.

My main issue with open source in enterprise is (as has been mentioned) support.

Level 13

That’s the theory of it at least. TrueCrypt is undergoing a security audit of its code right now and not everything coming back from that audit is good.

TrueCrypt is open source and has been used for YEARS with no one reviewing the code and seeing these issues. So far, as much I know, there are no security issues, just not following best practices and some badly formed code – but no one knew it was there.

About the Author
CCIE Data Center #46006. I am passionate IT professional who splits the work hours as a Datacenter Architect and a Network Security Specialist. Yes, I enjoy this double personality professional life.