Security Manager's Journal: At budget time, you ask and hope to receive

Our manager has a long wish list as the annual budget time rolls around once again.

It's budget time again, which is a good chance to assess our information security defenses and decide which areas we can best afford to beef up. Here's a look at what I think we'll be able to add this year.

Trouble Ticket

It's time to make the case for funding in the 2013 budget. Action plan: Prioritize the company's security needs, and have justifications at the ready.

First, I want to increase our investment in security incident and event management. SIEM has been a great investment thus far, helping us thwart attacks and identify other malicious activity that could have resulted in the loss of sensitive data, unauthorized access or a denial-of-service attack on our network. I can point to a lot of things that justify further investment. My plan is to expand our license and add more network sensors to remote offices. The return on those investments will be that more data will be correlated with additional log and netflow feeds from network and server resources.

Next, I want to upgrade the security assessment tools that automatically scan our DMZ infrastructure on a weekly basis, as well as satisfy our regular audit and assessment schedule of internal apps and infrastructure. Our current tools, though fairly effective, lack some of the rich functionality that Qualys, nCircle and Rapid 7 offer. Any of those would give us a more robust, centralized management console, integration with other tools and better reporting options. The productivity gains that these products would make possible are a selling point; the tool we end up choosing should pay for itself in short order just in the area of collecting security compliance data each quarter.

Then there's data leak prevention (DLP). When we implemented DLP earlier this year, our budget didn't allow for any decryption infrastructure. A main feature of DLP is that it can detect documents being sent via Web-based apps such as webmail and personal storage sites, but we need to decrypt the SSL traffic before our DLP tool can inspect the data. In addition, we recently migrated our Exchange deployment to Microsoft's Office 365 cloud offering, so now even our corporate email is encrypted. All of that means we need to buy proxy appliances and then send all our Web traffic to them for decrypting ahead of going to the DLP engine for inspection. We'll be looking at either Cisco or Bluecoat to satisfy this need.

Another area that we need to address is protection against advanced persistent and zero-day threats. We're on schedule with a proof-of-concept of FireEye, as we seek to understand the value of this type of investment. If the pilot is successful, our plan is to buy a few appliances for our larger offices, but complete enterprise coverage would require an appliance at each of our more than 40 remote offices. If FireEye doesn't fit the bill, we'll look at other technologies, including WildFire, which is already bundled with our Palo Alto Network Firewalls.

Each quarter, I spend about $30,000 for outside firms to conduct penetration testing and give us an independent viewpoint. One recent penetration test of our IP telephony infrastructure identified several critical configuration issues. I would like to double that budget line in 2013, mostly because we are expanding our use of cloud technologies and will need more assessments to keep up.

As for staff, I'll have a harder time. I'm fortunate in being allowed to fill an open position for a security analyst, but I could always use more people. The good news there is that my company just announced a summer internship program. At nominal cost, I can hire a college intern for the summer. I'll be asking for two.

All in all, I know I'm pretty lucky. Not every security manager can ask for so much and have a reasonable expectation of getting it. Still, our security spending remains small, both as a percentage of the overall IT budget and in terms of security spending per employee.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join in the discussions about security! computerworld.com/blogs/security

Read more about security in Computerworld's Security Topic Center.

Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.

Comments are now closed.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers

iPhone 6 rumour rollup for the week ending April 11

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Sign up now to get free exclusive access to reports, research and invitation only events.

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia