How to be a successful CISO without a 'real' cybersecurity budget

Many new CISOs are stepping into the role for the first time in a company and no formal budget exists.

A CISO who just started a new job for one of the top 10 cable companies in the US recently lamented how he does not have a cybersecurity budget to purchase tools from FireEye, Palo Alto Networks, and Cylance like his peer CISOs get too.

He further stated that even with a very limited budget, he can still solve cybersecurity problems and reduce enterprise cyber risk with a “back to the basics” approach for security controls, baseline the environment, and adjust security architecture for his corporation.

When we hear this common theme from CISOs, we typically think this is an “open source” shop that has to get everything for free in order to have a cybersecurity program. The irony is he was not leaning towards “open source” tools, but applying layered security across the enterprise to reduce cyber risk. All without a true cyber budget

Over the years, I have learned a very important lesson about cybersecurity; most cybersecurity problems can be solved with architecture changes. While that may seem easy on the surface, it actually is not. When you have to work with a “flat” network and many applications that rely on ancient firewall rules, it is not easy to speak with the CIO and ask to rearchitect the enterprise without hearing some bemoaning.

I have been very fortune to work with many Fortune 500 companies that allow me to experiment with different architectural ideas that require some very clever convincing/selling of how it will benefit the business. I had developed an architecture method free to share that uses some very abstract ideas but actually works. Here are the foundation fundamentals of the Bell Security Enterprise Architecture method that I developed:

  1. Stop fighting the malware game. Learn to co-exist in a malware-infested environment with a zero-trust model. Time to treat the internal network as if it were the Internet.
  2. Stop focusing on the latest and greatest tools from the hottest vendors; because more tools are not stopping security breaches, they only slow them down.
  3. Focus on the critical systems that matter for data protection (systems with PII data, Social Security number data, and credit cards, intellectual property, etc.). Do your best with the rest of the company environment, but don’t put your career on the line with battles that don’t matter.
  4. Use the virtualization concept to overlay your desired security architecture into your existing enterprise architecture without moving any systems within your company. Keep everything intact. Create a “security zone” around an existing server with sensitive data that becomes isolated from the rest of the internal network. Do this for each sensitive data server.
  5. The security zone consists of a low-cost firewall in front of the server with very few rules/ACLs. The security zones communicate with each other through point-to-point encryption. Other connections for monitoring server health/status go through non-encrypted communications through the security zone firewall.
  6. Part of the architecture method is to create a virtual “network overlay” using the security zones to compartmentalize sensitive data for existing systems instead of migrating them into a traditional security enclave/VLAN and to avoid disrupting the business. Moving systems will break the applications due to existing firewall rules. Security zones will communicate via VPN or TLS between each other through a protected encrypted tunnel. We no longer care what is happening to the rest of the network outside of a security zone.
  7. Utilizing a “jump-box” in front of each sensitive data server will track all access and recommend using two-factor authentication for each security zone for additional layers of security before accessing a critical server. The jump box will log and control all access to each security zone.
  8. If possible, devalue stored sensitive data through encryption/tokenization methods for data at rest. As a minimum, recommend application level encryption, not database encryption. This keeps a database administrator from looking at sensitive data.
  9. Stop storing encryption keys on the same servers performing encryption and use the slit-key method of storing keys on different servers with file directory permissions.
  10. Also consider splitting data if possible. The data needs to be joined for usage (Aka: table joins via encryption). Be cognizant of performance issues and latency.
  11. Use asymmetrical network routing to the Internet by splitting network traffic and reduce the threat of malware packet sniffing since 50% of the data is missing.
  12. Start encrypting in memory due to RAM memory scrappers with custom applications. Using encryption/decryption keys and temporary storage of sensitive data in RAM is unsafe. Malware is already scrapping the memory spaces. Research “TRESOR Linux kernel patch” or CryptProtectMemory.

The benefits of this architecture method:

  1. Fewer battles with the CIO and business operations
  2. You appear as a more flexible CISO and viewed as “business friendly”
  3. Low cost, leverage what is already free within your enterprise
  4. Better cybersecurity posture with reduced cyber risk
  5. Keep existing architecture in place without overhauling the business and having to hire outside enterprise architects
Read more: ​Data Classification: the first step in securing your intellectual property

The aforementioned architecture method is one of many ways to implement a successful cybersecurity program when a budget is not where it needs to be in your organization.

This article is published as part of the IDG Contributor Network.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securityMetrics/BudgetsLeadership and Managementapplication securityIT careersbig datadata protectionCSO Australia

More about FireEyeIDGLinuxPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Todd Bell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts