Coping with chaos
It may be a time of great change for the infosec industry, but advice on achieving the budgets needed to keep up with new threats remains remarkably consistent, reports Thomas Brewster.
Coping with chaos
Let's start with some good news. Security budgets, generally speaking, are not going down. Chief information security officers (CISOs) and analysts to whom SC Magazine has spoken say they expect budgets to either stay flat or even rise as we head into 2014.
EY's “Global Information Security Survey 2013” showed 93 percent of companies maintained or increased their security budget over the preceding 12 months. Security teams have benefitted from a year in which their industry has dominated headlines, thanks to the leaks of Edward Snowden, which revealed mass hacking and snooping from intelligence agencies across the world. Business leaders have started asking, if the NSA can be compromised by an employee of a contractor, who could hit us?
Meanwhile, market forces are compelling companies to invest in cloud, mobility and analytics to ensure they remain competitive. All need protection, meaning security teams in more forward-thinking organisations are getting better funding.
However, despite all the noise, security budgets won't be rising dramatically across the board. And the shiniest new products – from next-generation firewalls to virtualisation-based zero-day malware catchers – remain hugely expensive. Many organisations simply won't have the budget to fulfil all their protection requirements.
And yet the threat landscape is getting wider and wilder. In 2013, we saw the biggest-ever distributed denial-of-service (DDoS) attack aimed at anti-spam outfit Spamhaus, measuring in at more than 300Gbps. That took out a chunk of the public internet, after upstream partners were targeted by the perpetrators. DNS amplification has made DDoS attacks in general even more of a concern, with attacks of over 100Gbps now commonplace.
The NSA and GCHQ have allegedly broken widely used encryption, potentially placing many at risk of having their data compromised, while trust in the cloud has diminished as the Snowden consequences highlighted just how easy it is for law enforcement to demand data from vendors who hold the keys. This has made security in off-premise environments even more of a concern. “We've seen a lot of people who have gone to the cloud and been promised all sorts of things by their vendors and then found out that they've been lied to,” says Paul Simmonds, former CISO at pharmaceutical giant AstraZeneca and current CEO at The Global Identity Foundation.
Malware and advanced persistent threats continue to evolve too, thanks largely to government investment in industrial espionage. On a more mundane but equally worrying level, IT teams are being forced to embrace bring-your-own-device (BYOD), as smartphones and tablets start to outsell laptops and desktops. There's a lot for IT teams to protect and the task of managing it all is getting more burdensome.
One common response to this ever-growing threat landscape is to invest heavily in perimeter defences, setting up barricades in a bid to block attackers and keep corporate information safe. “Typically, information security budgets focus on the staples of anti-virus software, firewalls and licensing of other security software,” says Brian Honan, CEO for BH Consulting. “To the business this looks like dead money.”
It's no surprise then that such investment looks uninspiring to executives. Too, the effectiveness of many of those legacy technologies continues to wane. Anti-virus has consistently been proven to be poor at catching modern malware as it relies heavily on known signatures. And, firewalls have become increasingly irrelevant thanks to employee use of mobile devices not ordained by IT. Further, rogue adoption of cloud services, like Dropbox or Google Drive, circumvents protections put in place by CISOs.
Fresh approaches are needed. But before investing in new technologies, getting the basics right is essential. Many still forget them. “Most companies are not keeping up to date with the government guidance, which starts with understanding your environment and patching your machines,” Simmonds says. “It's reasonably cheap, but it's certainly not easy. Don't underestimate how hard it is to do that in a corporate environment.”
More frequent and engaging education can also help CISOs nip potential events in the bud, creating a security-conscious, security-aware environment. “CSOs need to better promote what they are doing and provide feedback to the business, in terms they understand, on how that investment has actually saved the company money,” Honan says. “Money invested in a security awareness programme can result in less password-reset calls to the support desk, resulting in cost savings and productivity gains to the business.”
As soon as the basics have been nailed, CISOs' next hurdle is convincing the board that security needs funding. Despite fears that proving return on investment on commitments in protection is something of a chimera, most agree the key is to align security with the business strategy. Indeed, research has shown those companies pressing ahead with more innovative IT projects get bigger security budgets.
Take cloud. Any company that wants to see the manifold benefits of cloud computing needs to wrap protections around it – from encryption and data leakage protection to single sign-on and federated identity management. That's why, when surveying IT teams, research and analysis company Quocirca discovered 40 percent of those who were keenest on the cloud had eight percent or more of their IT budget spent on security. For those who were avoiding the cloud, only 20 percent of these IT teams spent as much.
By delivering leading-edge IT services over the cloud, opening up applications to external users and putting in place social infrastructure, the whole IT team can prove investment in security is worth it, given the major benefits such innovation inside the business brings, says Bob Tarzey, security analyst at Quocirca.
Putting together a roadmap and a vision around the security strategy is vital to getting buy-in at the board level, says Jacques Erasmus, CISO at King, the games maker behind the hugely popular Candy Crush Saga. At the heart of that should be a solid business case. “It's about walking them through that vision so they can understand what will be put in place, how it looks and what we're trying to solve,” he says.
“For each type of different investment, put together a detailed explanation showing not just that we're going to buy some firewalls or network packet forensic solution, but really explaining what the benefits are of doing it,” Erasmus says.
Simmonds adds that security officers have no excuse for not proving return on investment to the board. All that is required of CISOs is to align security with the aims of the business. “If the business is trying to support a workforce around the world, actually you want a good mobile strategy,” he notes. “Anytime I have needed funding for a project that supports the business, I could get the funding.”
An ROI case can be made in a number of ways. “There is an ‘insurance' case,” Simmonds says. “There is a ‘supporting the business' case. There is an ‘enabling the business' case to let them do things they couldn't do before or were afraid to do because it wasn't secure. Then there's the really neat thing of enabling the business to do new things they hadn't thought of before.”
Once the board is convinced and a security budget has been locked in, information chiefs needn't spend their finite pennies on the old guard anymore. No longer should capital be dispensed on ineffective perimeter technologies.
Research has indicated spending in other areas, especially intelligence and analytics-based approaches to security, can be hugely beneficial in terms of both cost and protection.
And, Erasmus warns CISOs against diving into the security intelligence and events management (SIEM) market without looking deeply into the scalability of each product. Many simply won't be able to handle the volumes of data businesses will need to protect in the years ahead.
“Conventional SIEM systems that were very popular a couple of years ago are now really struggling with the volumes of data and the demands that you need to fulfil in terms of security,” he says.
Yet exploring new technologies should be a central part of a CISO's role, if they are to avoid future embarrassment. “Security officers spend on the tools they know rather than the tools that would be most effective in accomplishing the mission, says Larry Ponemon, chairman and founder of the research organisation Ponemon Institute. In other words, many security officers appear to be very resistant to change, he says, suggesting that IT teams appear to spend in the wrong areas.
“Smart companies are making investments in traffic intelligence systems, hardware-based encryption and certain application security tools, such as code scanners, automated pen testing and web application firewalls,” he says.
Security chiefs, once they've chosen where to spend money, need to barter with vendors too. Those discerningly high list prices? They can be brought down, as long as CISOs do the research beforehand.
“You need to negotiate really hard with the vendors to get onto level footing in terms of pricing,” Erasmus says. “You need to have a plan as to how you're going to engage with vendors from the start and really understand how the game is played. Making sure you understand what the vendor's financial year looks like is really very important.”
CISOs can take heart from this advice as they look to 2014 and beyond. Over the horizon lies a world where even more devices are connected and therefore need managing. As Symantec has predicted, 2014 will be the year the “Internet of Things” becomes the “Internet of Vulnerabilities”. Offices will grow smarter as will data centres, thanks to increased automation and increasing use of robotics. Wearables, like Google Glass, will start hitting the workplace, making BYOD even more complex.
But for IT, these connected devices will require the same approach. Many have their own embedded operating systems so will not differ vastly from the systems with which IT already deals. The consensus: Get the basics right, do a thorough risk assessment and effectively show why security needs consistent high-level funding. The more things change, the more they stay the same.
Top 5 tips: Getting C-level buy-in:
1. Demonstrate you can save money as well as spend it. Unwanted or under-utilised technology should be removed, building trust in your budgetary decisions.
2. Speak to the business and demonstrate how security initiatives enable and support revenue generation.
3. Forget the ‘scaremonger' approach. Any fear is always outweighed by the desire to grow revenue.
4. Never build budgets in isolation. Investments are much easier to justify when they benefit a wider audience, inside and outside of technology.
5. Don't always use the ‘top down' methodology. Sometimes it is better to demonstrate how the investment benefits the lower levels of the organisation, C-level will find it difficult to reject something that has already been shown to work. (Craig Goodwin, vice president of security, Monster)