Come budget time, being the security manager for a financial services company is a great thing. Like any security manager, I have to prepare materials to justify spending company money. But in the financial services sector, upper management tends to be well aware that we have a lot to lose if we’re breached, and customers and auditors continually scrutinize our security practices. Since losing a major deal or failing an audit because of inadequate security is not an option, winning approval for reasonable budget requests is not as arduous as it can be in other industries.
In the past I have received funding for a security engineer who is primarily focused on product security. His duties include identifying and mitigating security vulnerabilities and bugs, driving the implementation of security-related features and functionality, and addressing the security posture of internal tools. In addition, last year we were able to purchase a very expensive source-code analysis tool to aid him in his tasks. This year, he has asked for additional third-party application penetration testing tools and services, which I’m happy to accommodate.
A weakness in our security efforts — one we share with most organizations — is in the area of IT or corporate security. It has improved, now that most of our corporate applications are cloud-based or software as a service (SaaS), which means our corporate network is not populated with a lot of business-critical servers. But that doesn’t mean we can disregard basic security hygiene such as patch compliance, endpoint security, network segmentation and secure configuration management. Like many other organizations, we give our users administrative access to their PCs. We try to protect the PCs by using group policies, but users still install third-party programs. That means that besides keeping up with operating system patches and baseline configuration, we also have to stay on top of third-party application patches. And with more than 80 SaaS applications in use, vendor management and application configuration are critical. All of this is why, during this budget round, I will ask for a dedicated IT security specialist to focus on corporate security.
I also want to hire someone to handle audit and compliance requirements, which continue to grow. We already meet the requirements for SSAE 16 and PCI, and we manage third-party assessments and penetration testing and conduct internal audits. We are now considering meeting HIPAA compliance so that we can sign agreements related to the protection of certain healthcare information that customers may store within our application. All of the audits and assessments have to be followed up with remediation. And so I want a security and compliance analyst. The things I’ve described probably can’t keep one person fully occupied (audits are typically seasonal), but I figure the new hire could also help analyze and crunch data and serve as another eye monitoring security events, besides shouldering other miscellaneous security-related duties.
A lot of the security-related tools that we use I think of as minor technologies, such as a firewall-rule audit tool, a security baseline assessment tool and a few scanning services. Now, though, I’m thinking about investing in a security information and event management (SIEM) tool. It could help us make sense of all the data that comes from our firewalls, Unix syslog, Windows event logs and several other application logs. In a previous job, I had the pleasure of deploying and managing a very expensive SIEM, but I won’t have the budget for a Cadillac this time. I’ll have to review the pros and cons of an on-premise solution versus a managed service provider. Although the latter option would entail directing logs so that the third party can analyze data, identify events and determine whether any of the events warrant escalation to an incident, the fact is that running a 24x7 security operations center is expensive, so I may lean toward that choice.
Once I get my thoughts in order, I’ll put together a few slides that will describe the current problems and the risks associated with not doing anything so that the executive staff can make a decision. Budget planning is typically a give-and-take exercise, since all departments are fighting for those corporate dollars. If I don’t go in prepared, I could end up with a lot less than I’m seeking.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Click here for more security articles.