Information Security and Budgets

I guess the question is "Can I have a good infosec program without spending a lot of money?" Well, "a lot" is a fairly relative term. I can say that cyber/information security programs are largely under funded pervasively in the industries that I have observed. Very few organizations including federal, local, and state governments adequately invest enough funds to defend their data. People with money to lose like banks, hospitals and businesses do a better job but even then maybe two of my customers over the past several years really put some cash into their defenses.

The quick answer is that you will get what you pay for. If you are a smaller organization, less than 500 nodes to defend, you might be able to defend yourself with one ninja and some open-source tools like Bro IDS, Snort, IPtables and the like. Once you grow beyond this, most of these require more interaction than you can afford personnel wise as you would have to dedicate an employee to IDS and one to firewall etc.. Investing in a commercial solution at this point will often provide more cost savings after the initial purpose as it allows your security analysts to multi task. I have often heard the "numbers" articulated as IT being 20% of your overall budget, and IT SEcurity being anywhere between 10 - 20% of that number. Once they are funded, where they sit in you rorganization's structure also becomes crucial. Hit me up for an org chart if you want one and I will customize it based on your organization's size, mission, and perceived needs.This is also better for your employees since they will not get bored with a single facet of security analysis and will tend to remain sharper over the long term. The question you get once you have greast analysts is "How do I keep these well-rounded, sharp security analysts?" That's will be somewhat unique to each individual, but the easy answer is "listen to what they say." They will often let you know what they need to do their job, an dmost people work in the field because they enjoy it.

No comments:

Post a Comment