Any large IT shop shows the symptoms — packing crates from countless different vendors; software packages still in their shrink-wrap; and innumerable binders from training courses, conferences and seminars. How much of that investment are you able to use?
IT Security is no different. The historical model is to spend in reaction to problems you’ve already had, i.e., “protecting tomorrow from yesterday,” because we, as security practitioners, still have trouble justifying the benefits of a comprehensive, proactive approach.
This is particularly true when it comes to building security into the design stage of projects – building a new network or coding a new product – because those requirements tend not to support the metrics the design team uses for indicators of success. They don’t get the product to market sooner, or light up the fiber before the holiday shopping season, and they add more complexity, which is always equated with a decrease in reliability.
As with all things, it’s better to have fewer, more tangible and achievable goals, than to aim for the moon and crash into the sun instead. You need to think about goals for your security expenditures; they might be things like:
- Improve the network’s ability to recover from a security incident more quickly
- Contain the cascading damage in the event of a data leak or failure
- Have better logs and forensic records to aid in event reconstruction and analysis
- Have more formalized connections between the security analysts and your design/architecture/operations groups to make use of lessons learned
In general, you can probably define your current level of performance – and a way to improve that measurement – without buying anything new. Your expenditure on improvement is therefore internal, not capex, though if you can’t see how to improve these metrics without buying more tools, it might be worth bringing in a third-party assessment group to lay out the roadmap for you in greater detail. Most firms will happily take on a small engagement like that because they see a lot of potential upside going forward, so be cognizant of what expectations you have yourself and set with your vendors.
The point, ultimately, is that these goals are management-oriented, rather than technology- or spend-driven. IT managers’ jobs center around making best use of available resources first and foremost. If they can’t offer any solution besides buying stuff, you may have a different problem you need to address.
The reality for most shops is that mustering up the political support, and organizational momentum, around these sorts of projects is a lot harder than pasting a vendor’s material into your corporate PowerPoint template and justifying an expense that way.
Nobody said doing more with less is easy, but the potential rewards at the foundation of your company can be much more durable and valuable.
By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services