Let the budget games begin!

Even when top management is enlightened about the importance of good security practices, a security manager needs to go into the budget meeting prepared

Come budget time, being the security manager for a financial services company is a great thing. Like any security manager, I have to prepare materials to justify spending company money. But in the financial services sector, upper management tends to be well aware that we have a lot to lose if we’re breached, and customers and auditors continually scrutinize our security practices. Since losing a major deal or failing an audit because of inadequate security is not an option, winning approval for reasonable budget requests is not as arduous as it can be in other industries.

In the past I have received funding for a security engineer who is primarily focused on product security. His duties include identifying and mitigating security vulnerabilities and bugs, driving the implementation of security-related features and functionality, and addressing the security posture of internal tools. In addition, last year we were able to purchase a very expensive source-code analysis tool to aid him in his tasks. This year, he has asked for additional third-party application penetration testing tools and services, which I’m happy to accommodate.

A weakness in our security efforts — one we share with most organizations — is in the area of IT or corporate security. It has improved, now that most of our corporate applications are cloud-based or software as a service (SaaS), which means our corporate network is not populated with a lot of business-critical servers. But that doesn’t mean we can disregard basic security hygiene such as patch compliance, endpoint security, network segmentation and secure configuration management. Like many other organizations, we give our users administrative access to their PCs. We try to protect the PCs by using group policies, but users still install third-party programs. That means that besides keeping up with operating system patches and baseline configuration, we also have to stay on top of third-party application patches. And with more than 80 SaaS applications in use, vendor management and application configuration are critical. All of this is why, during this budget round, I will ask for a dedicated IT security specialist to focus on corporate security.

I also want to hire someone to handle audit and compliance requirements, which continue to grow. We already meet the requirements for SSAE 16 and PCI, and we manage third-party assessments and penetration testing and conduct internal audits. We are now considering meeting HIPAA compliance so that we can sign agreements related to the protection of certain healthcare information that customers may store within our application. All of the audits and assessments have to be followed up with remediation. And so I want a security and compliance analyst. The things I’ve described probably can’t keep one person fully occupied (audits are typically seasonal), but I figure the new hire could also help analyze and crunch data and serve as another eye monitoring security events, besides shouldering other miscellaneous security-related duties.

A lot of the security-related tools that we use I think of as minor technologies, such as a firewall-rule audit tool, a security baseline assessment tool and a few scanning services. Now, though, I’m thinking about investing in a security information and event management (SIEM) tool. It could help us make sense of all the data that comes from our firewalls, Unix syslog, Windows event logs and several other application logs. In a previous job, I had the pleasure of deploying and managing a very expensive SIEM, but I won’t have the budget for a Cadillac this time. I’ll have to review the pros and cons of an on-premise solution versus a managed service provider. Although the latter option would entail directing logs so that the third party can analyze data, identify events and determine whether any of the events warrant escalation to an incident, the fact is that running a 24x7 security operations center is expensive, so I may lean toward that choice.

Once I get my thoughts in order, I’ll put together a few slides that will describe the current problems and the risks associated with not doing anything so that the executive staff can make a decision. Budget planning is typically a give-and-take exercise, since all departments are fighting for those corporate dollars. If I don’t go in prepared, I could end up with a lot less than I’m seeking.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

More about Click

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts