Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money

It's budget season, which means I get to create a wish list of security goodies I'd like to buy.

Trouble Ticket

At issue: It's time to draw up a security wish list for the 2014 fiscal year.

Action plan: Focus on hardening the core and broadening security awareness.

I prefer to have a theme for my wish list. A year ago, it was data protection, and we made significant investments in data loss prevention and file encryption. For 2014, I have a double theme: Harden the core, and educate users. And I won't have to ask for a lot of money for either one.

We've built up quite an arsenal of security tools over the past couple of years. We've got firewalls that not only restrict traffic, but also conduct malware inspection, intrusion prevention, URL filtering and access restriction at the application layer. We have data leak prevention, security event management, endpoint protection, file encryption, network access control and more.

But weaknesses remain. Our firewall rules could be tightened. Networks could be further segmented. Our server baseline image could be further hardened. We need to get better at patch management and endpoint protection, and we need to get a handle on unmanaged devices. We could further restrict URL filters, block risky applications and conduct more assessments. I would like to roll out full disk encryption to all endpoints, a plan made easier by already having Microsoft BitLocker bundled with our enterprise license.

In fact, we should be able to leverage several of our existing technologies to further harden our core. Meanwhile, I'll spend money to save money by expanding security operations offshore.

Technology is a great security aid, of course, but it will never eliminate incidents. Our incident categories often involve phishing attacks, social engineering, off-network downloads of hostile programs and inadvertent data leakage. What do they all have in common? Users. I'd say about 80% of our security incidents could have been prevented if someone had just thought about security. That's why I expect a payoff from a greater focus in 2014 on security awareness and training.

We already have mandatory general awareness training, and all employees are required to take it once a year and confirm that they understand it. But I want to take the program to another level. First, this will mean expanding the content and the users' exposure to materials by including short awareness courses in specific areas of both security and compliance. I'll then work with our learning management team on providing additional mandatory training for certain employees, based on job function. For example, the R&D group would be required to take application security awareness training, help desk technicians would be expected to take courses on social engineering and incident response, members of the legal team would have to take short courses on the privacy and security implications of compliance topics such as PCI and HIPAA, and customer-facing employees would be required to take training in handling data. I'll also ensure that security awareness is included in our new-hire orientation program, and I'll provide security awareness presentations at remote offices when I can during my travels.

Besides increasing training, I'd like to bombard employees with security awareness reminders, since frequent reminders reinforce once-a-year exercises. For example, I plan to push security awareness screen savers to every Microsoft endpoint. In our break areas, we have monitors that display sales quotas, marketing materials and other company announcements. Why not include a security awareness slide from time to time?

Finally, to measure the effectiveness of the awareness training, I plan every once in a while to send out emails disguised as phishing attacks, then collect statistics on how many employees take the bait. If I've done my job correctly, that number should decrease over time.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about MicrosoftTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts