No budget for security? Try harder!

Andreas Dannert

President of ISACA Melbourne Chapter

Organisations often view security as a burden and not as an enabler. In doing so they are losing to their competition. It is like playing Russian roulette and the first one who gets hit will lose for sure, while some others might follow or get out of the game early enough.

Does it need to be like this? What if you change the game and swap Russian roulette for chess? In chess two equally matched players will always end up in a draw, but is it about winning or is it about being better than your competitors when it comes to security?

Implementing security better than 75 per cent of your competition should make your business a very unlikely target unless you have special assets.

In return this will allow your organisation focussing to win market share by offering better products and services without distractions.

The last thing an organisation wants to do though is play Russian roulette when it comes to security and lose everything. What does this mean and how can we achieve it?

Security needs to become second nature to an organisation like marketing and accounting. Let’s face it, hardly any organisation questions the need for these services, but they might do question the need for proper security and often rather see it as a burden.

To get out of this vicious cycle we first need to change an organisations stance towards security by changing their employee’s perception of security. Phrased differently, wanting to change the game from Russian roulette to chess.

To achieve this business leadership needs to lead by example and practise good security behaviour. It also implies having an understanding of what good security means and that there is no 100 per cent security.

It’s like life, you will eventually loose, but you can still enjoy a more productive and better life given the chance and with the right attitude. An organisation should convert mistakes made in security into wins by learning from them.

Embrace mistakes as good chess players do and losing means learning to become better at your game.

If the people of an organisation are not convinced that security is a required service and will not play the game you already have lost.

No technology and process will make up for employees attitude towards security. Make sure you hire the right people for your business that are willing to play the right game.

I personally believe that Edward Snowden in this respect wasn’t a good match for the NSA and it wasn’t the fault of the hiring process. I would argue that he was too ethical for an organisation that asked for what most of the public would view as unethical behaviour, but that is a different story.

All you have to remember is that you need to hire and train the people that are right for the security stance of your organisation and that this applies to all employees, not just the ones in your security team.

Once you have the foundation and the support of your organisation’s employees you need to ensure the level of security provided by employee’s behaviour and their integrity is matched by your technology and processes.

To be on top of your game you need to ensure all aspects of your security are on level and think of it like the stages of a chess game.

You need to be equally good in your openings, your mid game and your endgame. Your security spending needs to be levelled across every aspect of protecting your assets.

An attacker will usually go after the weakest link in your organisation. Respectively attackers will always attack the weakest organisation.

Think of it like this; you are spending 20 per cent on educating your employees and 40 per cent each on processes and technology. Wouldn’t an attacker opt for socially engineering your organisation, since it probably will be the weakest link?

Which means you wasted 40 per cent of your allocated budget and made it 20 per cent easier for an attacker as far as their efforts are concerned. You will notice this example is independent of the total budget you have allocated towards security.

An organisation that is more efficient in utilising its resources and splitting them more equally will be ahead of yours when it comes to their effectiveness. This in return might put your own organisation at a higher risk to be out of business or at least come with a higher penalty.

Ultimately you will be at a disadvantage compared to your competition and risk losing your business.

Once spending is equally allocated to all areas of security, it’s time to ensure you get the basics right.

Looking at our chess scenario I would argue that learning the basic rules of the game first before looking at complex strategies is essential.

This includes also understanding what pieces you have, their value and strategic advantages and disadvantages. Coming back to our employees this would require that there needs to be an appreciation for why security is good for the organisation before pushing out password policies and other rules that will otherwise be seen as a nuisance.

On the technology side it implies that you fully have an inventory and understanding of your IT infrastructure. Too often organisations are hard pressed to identify their full repository of components.

What good are advanced security systems if one does not know the weaknesses and strength of their existing infrastructure? Good chess players always know the value of each piece and their weaknesses, but also how to utilise them most efficiently.

For example, a well hardened system could be of more value than a sophisticated IDS that no-one properly monitors or knows how to interpret its data. As a result, an organisation might want to improve its configuration management system instead of investing into new security appliances.

This can be another option of reducing your security budget, since a good configuration management process for example is not only benefiting security, but your overall IT performance. Finding more of these synergies can dramatically change the view business looks at security budgets and gives security managers a way of leveraging resources of other departments.

Another good example would be the implementation of an “Identity and Access Management” system. This not only is key to improving security by simplifying audits, granting access, reducing cost for password resets and so on, but it could also provide an organisation with much more insight into utilisation of systems, employee and/or customer behaviour.

Looking at some late breaches, like the Google bug that potentially exposed thousands of Google email addresses, the Target Breach that could have been prevented by using chip and pin and the Heartbleed bug, we need to realise that these were issues caused by “not getting the basics” right. These are not complex breaches compared to Stuxnet, which was a very sophisticated piece of malware.

Lastly, an organisation should look at its processes. Having people with the right attitude and utilising your technical infrastructure to its full potential is only working if these are linked as efficiently as possible with as little margin of error as reasonable.

In short, get your processes right and you will get more value out of an organisations technology and employees. Processes need to be error free and easy to execute. Faulty processes lead to losing out to your competitors who are better in designing processes and their implementation, which is especially true for your security processes.

If there are issues with the processes they can be used against you by attackers, but they could also create resistance within your own organisation when implementing security at large. One of the obvious examples is stringent rules around passwords, which often lead to employees writing them down.

Another example would be the process for on-boarding new employees. If this process is too cumbersome it can lead to password sharing. Security processes ideally are almost invisible and seamlessly integrated into day to day processes of an organisation.

There is a reason that the biometric sensor on the iPhone is so popular, despite it not being 100 per cent secure. It’s still better than no password and hence you are still better off. In summary, an organisation can choose not to spend on security, but that is like playing Russian roulette.

On the contrary a little budget can get you close to your competition and make you a less likely target to be hit. An average budget effectively used can even protect your organisations assets better than your competitors and hence provide you with a competitive advantage.

Remember, security is not about winning, but being ahead and allow your organisation to focus on your products and services.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Show Comments