Improving Security Without Spending Money
At the recent 2008 Gartner Symposium, one of the major themes was that many CEOs are cutting back on capital budget in response to the current economic downturn, and projections show that this will continue well into 2009. Because of this, Information Security practitioners need to find new ways to deal with security threats, while reducing spending.
Information Security as an industry has been particularly bad about letting vendors run the show. For many companies the response to most security challenges has been to spend money to acquire a new product that addresses the problem. I suggest reading "The New School of Information Security" by Adam Shostack and Andrew Stewart for insight on the reasons for this. However it came about, in this new economic environment we need to find new solutions to problems that don't always involve purchasing.
I will be writing a series of blog posts on the subject of finding and utilizing capabilities that your company may already have available, but are not using or are under-utilizing. In general, I think these fall into these three categories:
- Products you may already have - Modern operating systems are made up of many gigabytes of compiled code, and most companies only use a fraction of the features. Other products are also underutilized, often implemented for a single feature while other features are forgotten.
- Products that are free (or cheap) to acquire - Open Source and free products often offer a majority of functionality that their commercial counterparts offer, and in some cases surpass it, for a lower cost.
- People and processes - Improving execution of "the basics" will improve your overall security posture. Scripting can sometimes replace manual processes or even commercial products.
In some cases, these approaches require an increased assumption of risk. Two examples include an open source solution that may have less formal support options that the commercial counterpart, or upgrading an operating system before the company IT department truly feels it is ready. New security functionality introduced in this way requires a good business case as to why it's necessary to increase risk, and a plan to mitigate that risk as much as possible.
