Let’s Fix It: The Gap Between IT Budgets and IT Security


Are there any excuses anymore for not dedicating a serious effort towards your company’s IT Security?

There are some common and not so common things you might be thinking about for IT Security. Budgets and framing the conversation might be your biggest hurdle.

Here are 3 examples how budget hacking can lead to…well, actual hacking and something you can do about it.

The Basics – Economic Downturn
In the past decade, the economy has tanked. Enterprises were looking for ways to cut costs. DR, security and other proactive services were cut. These were the easiest targets because of the perceived low benefit.

Security Risk: The dedicated IT Security job has been cut and responsibilities scattered to folks wearing other IT hats. To compound the problem, other IT staff has been cut as well.

How to Communicate the Risk: This one is difficult to address because of the scope and the longest to ramp up. You may not even understand all of IT’s exposure. Don’t get too bogged down on the big picture!

Start reading security blogs and watch for similar companies in your industry that have been hacked and common ways hackers enter your network. Build your conversation with similar high risk systems that you may have and any low hanging fruit that can be addressed. This will at least get you some attention and put the company on the right path.

If your conversation is well received, you may want to recommend an engagement to identify risks. When you get the results, go beyond the technical and translate the risks into something the business can understand.

No one in the business will understand that you aren’t running an Intrusion Detection or Network Behavior Analysis system, but they will understand if that credit card system running under Gary’s desk could easily be stolen from your office.

The Not so Obvious – The Custom Written Application
For large Enterprises a decade or more ago, custom written applications were the cloud of the day. By hiring a small team of these computer geniuses, you could get exactly what you needed. I remember those guys, where did they go?

Security Risk: A critical database with customer information is still on SQL 2000. Despite the critical data stored here, the developers left years ago, but the application works too well to give it up. No group has stepped up to take ownership because no one wants the head count or developer budget to hit their numbers.

Side note – when planning cloud applications, define an application lifecycle so this doesn’t happen!

How to Communicate the Risk: In terms of critical and outdated applications, there are 2 risks.

1. The data is stolen because it is outdated and easily hacked – frame this conversation in terms of the data type and exposure risk to the media. Talk to your marketing team. They could lead you to other conversations with business units that could lead you to a real financial impact to the risk.

2. The application is taken offline and can’t be rebuilt because it is outdated – This is a bonus one! Find the business partners using the application. These folks should be able to provide potential business losses, etc. Depending on the exposure of the offline application, marketing could help you here as well.

Since we’re talking about not hiring security professionals, but developers instead, you should steer the conversation to the business units. Discuss the secondary benefit of adding functionality to these applications. You may find a business unit is aware of this risk and might take the headcount on if needed, or at least fund a quick project to get it done.

The One Thing Missing – Identity Management
Matt Zanderigo laid out a great framework to get companies thinking about how they can look at IT Security. If there was one thing I could add, it is that an Identity Management solution with a tight termination policy and consolidation of directory access supplements everything he’s laid out.

Security Risk: Your company has 4 directories, all with critical access to critical applications. There are 4 teams of people that are responsible for terminating access. One team has staff out of the office and terminations are just sitting there.

Ho boy, in this scenario, you are relying on so many disparate teams to terminate account access that you better hope VPN is first on your list and that you aren’t using cloud services!

How to Communicate the Risk: Review your termination SLAs and compare them against active accounts from HR, provide a report of stale accounts to your management chain. Write up ways this risk is mitigated now (physical access controls, tighter VPN controls, etc), but point to where the holes still exist.

You may not need a full blown Identity Management solution, but a project to build out a better account lifecycle management process could do wonders.

Mind the Gap!
Budgets have different ways to hurt your IT Security efforts. As the economy turns around, it is time to start looking at ramping up your IT Security again. Quantifying the risk and translating it into a risk the business can understand is IT’s responsibility. In all these scenarios, a little investment and re-thinking your discussions can go a long way!

Leave a Reply

Your email address will not be published. Required fields are marked *