I AM A VICTIM of my own success.
You see, I've done a good job as the CSO of a major corporation. And because I've done my job so well, my company hasn't suffered any major attacks. But then — precisely because I've done my job so well — no one sees the real value in the day-to-day security operations that keep the company safe. It's the quintessential thankless job.
So now the company's CIO wants to cut my budget. "There's not much we can do about it," he says. "We're cutting budgets across the board. Why are you so uptight?"
"Because when you cut back on your budget, you have some wiggle room. You can cut things that are not so vital. We just get slower laptops. Or maybe we don't get the upgrades to existing systems we want," I observe. "But when I cut back on the security budget, I put the whole company at risk. If I don't have the people and the technology to detect attacks — or if I lose the funds to implement protective systems to keep new attacks away — we can be taken down to the pavement in very short order."
"Well, still," he says dismissively, "you'll just have to cut back like the rest of us and do less."
And that, as they say, is that.
Oh, sure, I could quote to him all kinds of statistics about what happens during an attack. I could talk about the financial decimation that can level a company that has been attacked. I certainly know where to get the latest CERT Coordination Center statistics that show how attacks have quadrupled since 2000. I subscribe to all the standard trade publications, have access to the IDC reports database and read all the industry analyst reports. I have the FBI and Computer Security Institute annual survey. I attend conferences sponsored by the Information Systems Audit and Control Association, the Institute of Internal Auditors and Internet Security Alliance. Heck, I talk to other CSOs who have been attacked. I know the situation with security attacks is bad, and I know it's getting worse. I know that my company could be next in line.
And yeah, I have done the management education thing. I've thrown the "Do you see how much we spent to fix the crisis?" question at them. I've used various penetration analyses to demonstrate how we can get bounced.
But no one here listens. That is, until something ugly pops up and causes a major security event to occur. Then, of course, all bets are off. Management points fingers and demands security assistance. Employees try to affix blame on the security department for the lack of care and feeding. Probably — way deep down — everyone realiper centes that it's not our fault. But someone has to take the blame.
Isn't it ironic?
Which brings me to yet another irony. If a security event happens, it is most likely due to an employee who didn't follow the rules and put illegal systems on the network with external connections that allowed a hacker access to the internal network. But all that is cast aside after the crisis happens. You sit knowing that had a budget been approved that allowed you to buy the scanning tool you needed to find the illegal box in the first place, the event would never have happened.
And then here's the final insult: Even if you had prevented the illegal box from being on the network, no one would have known about how you intercepted it in the first place. No one would have appreciated the fact that an event could have occurred through that entry point. It's a vicious cycle. If you start with enough money to prevent the attacks from happening, then on the next go-round your budget gets cut because the value of applying technology to stop the attacks is long forgotten by senior management. It may not be irony, per se, but it's a damn shame.
I really find it frustrating that when a real crisis happens, we seem to spend more money on dealing with the issue at hand than we would have spent implementing the technologies to stop the crisis from happening in the first place. I've brought that up time and time again, but once the crisis is over, corporate fixations are on other areas that demand money that are unrelated to the security issues. "We'll pay for it if we need to and only if we get hit badly," they say.
You can tell me that it's all in a day's work of managing security. That other CSOs run into the same problem over and over again. Maybe it's so, and intellectually, I even understand it (to an extent). But that doesn't mitigate my frustration. Nor does it reduce the risk to my company. I seriously thought about including a certain amount of fluff in my budget so that the cutbacks wouldn't hurt so much, but hey, I'm a security guy. Not only am I a little paranoid; I'm also painfully ethical, or I wouldn't be in this business to begin with. Such creative budgeting techniques make me chafe in places where relief is not possible.
Still, I wish I had a solution to this dilemma. A friend suggested that I start up a bait store. I mean, we all have to eat, and bait usually doesn't talk back. He may be on to something. Except with my paranoid nature, I'd probably begin to think that the fish were up to something.
Another friend of mine, who works for a security company and has spent many years training consultants, says, "Sometimes you have to let the train wreck happen to convince management of the errors of their ways." I suppose that when it comes to budgetary issues, letting the train wreck happen means not being able to prevent every security event from occurring. Hopefully, the train wreck won't be too bad when it does happen. And it will be seen by management as a wake-up call to instil the necessary budget required to keep such events from happening in the future. Until the next fiscal year, anyway.
In the meantime, I suppose I will sit back down with my spreadsheets and try to figure out which risks are less damaging than others. While I'm at it, I might as well get comfortable with the same old laptop that I've had for the past two years. It looks as if I'll be living with it a bit longer.
This column is written anonymously by a real CSO at a major corporation.