The Cost of InfoSec Stewardship

"Five billion years and it still comes down to money." -- The Doctor

Hello Thwack, this is Gideon Tam again! I was one of the Thwack Ambassadors for the month of January, 2014. Back in January we had great discussions and comments on the topics of the Log & Event Management in the General Security & Compliance area. If you haven't seen those discussions, here are the links to them:

To Log Or Not To Log: That Is The Question

Don't Panic and Know Where Your Logs Are

So Good They Can't Ignore SIEM

Winning The Loser's Game of Information Security

In the last discussion, Winning The Loser's Game Of Information Security, we generally agreed that the information security would not be a losing battle at all, even though information security breaches made to the headline news all the time (you might receive an email from eBay for changing password last week). Endurance and persistence, my dear fellows.

Recently we planned to replace our current internet perimeter firewalls with the New Generation Firewalls. The price quote we got after a few negotiations still popped out our eyes. This made me think of:

Is it possible to lower the cost of the information security?

In January we talked about that SIEM didn’t come cheap. Remember S in SIEM is $?   We also discussed the defense in depth. All these come with a huge price tag. Yes, we can cut some corners when IT budget permits, but we can only cut that much. If we are able to reduce the costs of information security equipment, what about the costs of the storage to keep the data in order to be HIPAA or PCI compliance?

Thanks to Steve Jobs and Jeff Bezos, we now face new IT challenges: BYOD, public and private clouds, etc. All the sudden we need to implement security measures that we haven’t done before. Of course, vendors help us by providing their awesome solutions and in turn we help them with higher budget.

You may say that we can save by using the open source projects/softwares/applications. I have some open source applications in my environment. I’ve found that it takes quite a bit of manpower to start, implement, and maintain systems with the open source applications. My colleagues and I have been thinking to replace those systems with vendor solutions. And open source is open source. For example, remember Snort -> Sourcefire -> Cisco?

To me, it’s very hard to drive the information security cost down. I, of course, will do my best to keep the expense as low as possible. But I’ll also provide information to the CIO to talk to the CEO and the CFO to request more funding. What do you think? If you don’t agree with me, it is perfectly fine; I want to hear from you and learn from you. Please drop some thoughts, comments, and feedbacks here.