Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money

It's budget season, which means I get to create a wish list of security goodies I'd like to buy.

Trouble Ticket

At issue: It's time to draw up a security wish list for the 2014 fiscal year.

Action plan: Focus on hardening the core and broadening security awareness.

I prefer to have a theme for my wish list. A year ago, it was data protection, and we made significant investments in data loss prevention and file encryption. For 2014, I have a double theme: Harden the core, and educate users. And I won't have to ask for a lot of money for either one.

We've built up quite an arsenal of security tools over the past couple of years. We've got firewalls that not only restrict traffic, but also conduct malware inspection, intrusion prevention, URL filtering and access restriction at the application layer. We have data leak prevention, security event management, endpoint protection, file encryption, network access control and more.

But weaknesses remain. Our firewall rules could be tightened. Networks could be further segmented. Our server baseline image could be further hardened. We need to get better at patch management and endpoint protection, and we need to get a handle on unmanaged devices. We could further restrict URL filters, block risky applications and conduct more assessments. I would like to roll out full disk encryption to all endpoints, a plan made easier by already having Microsoft BitLocker bundled with our enterprise license.

In fact, we should be able to leverage several of our existing technologies to further harden our core. Meanwhile, I'll spend money to save money by expanding security operations offshore.

Technology is a great security aid, of course, but it will never eliminate incidents. Our incident categories often involve phishing attacks, social engineering, off-network downloads of hostile programs and inadvertent data leakage. What do they all have in common? Users. I'd say about 80% of our security incidents could have been prevented if someone had just thought about security. That's why I expect a payoff from a greater focus in 2014 on security awareness and training.

We already have mandatory general awareness training, and all employees are required to take it once a year and confirm that they understand it. But I want to take the program to another level. First, this will mean expanding the content and the users' exposure to materials by including short awareness courses in specific areas of both security and compliance. I'll then work with our learning management team on providing additional mandatory training for certain employees, based on job function. For example, the R&D group would be required to take application security awareness training, help desk technicians would be expected to take courses on social engineering and incident response, members of the legal team would have to take short courses on the privacy and security implications of compliance topics such as PCI and HIPAA, and customer-facing employees would be required to take training in handling data. I'll also ensure that security awareness is included in our new-hire orientation program, and I'll provide security awareness presentations at remote offices when I can during my travels.

Besides increasing training, I'd like to bombard employees with security awareness reminders, since frequent reminders reinforce once-a-year exercises. For example, I plan to push security awareness screen savers to every Microsoft endpoint. In our break areas, we have monitors that display sales quotas, marketing materials and other company announcements. Why not include a security awareness slide from time to time?

Finally, to measure the effectiveness of the awareness training, I plan every once in a while to send out emails disguised as phishing attacks, then collect statistics on how many employees take the bait. If I've done my job correctly, that number should decrease over time.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Show Comments