Then there are businesses that, for whatever reason, have not spent as much time on security as they should have in the past and are playing catch up. Sometimes it’s because they grew too fast. When a business grows, security is often the last consideration. More often than not, these IT managers wanted to do the right thing, but could not get the budget approved. These customers are universally worried about getting the most comprehensive solution they can find for the money.
Surprisingly, we do not see that our customers are worried about a specific threat or risk vector. Web application security is gaining a lot of attention, as it should, but I sense that its being propelled by the PCI standard, which made web security assessments mandatory this year. I think that’s a huge step forward.
In your opinion, how much resources should an SMB deploy when it comes to threat management?
As few as possible. If you listen to industry experts and press, you get an idea that IT leaders must push their businesses managers to allocate a larger portion of their IT budget for threat management and security in general. I have a somewhat unusual position on that – I think most businesses already allocate enough budget to security efforts. Now, do they get a real return for their money? Not even close.
You can do more with a single well configured IDS or Log Management product that provides real value, than a garbage truck worth of security appliances sold to businesses in the name of “defense in depth”. Businesses spend inordinate portion of their budget on security products, but pay very little attention to how they use those solutions. Anyone that has an IPS system serving as a doorstop or a SIM collecting dust on a shelf should consider drastically changing their approach. Find a solution that may not have as many bells and whistles but is easy to deploy and easy to use. SaaS solutions tend to fall into this category, but there are plenty of capable traditional solutions as well. Then spend the remainder of your budget making sure your staff are ready to respond to situations that contribute the business risk.
A single security admin that pays attention to one product will be infinitely more useful than a whole security team overwhelmed by a dozen sources of data that must be analyzed every day.
Compliance is certainly strengthening the overall security of organizations worldwide, yet we are still plagued by a variety of security risks. What should the CTO pay special attention to?
I don’t expect that to change – security risks are a fact of life. They will continue to evolve and will always be a factor for any business. There are two things I’d recommend for every CTO and CIO out there:
1. Don’t assume that SANS or PCI Council or Bruce Schneier can tell you what your top risks are. Risks are always going to be unique to your environment and depending on the business you are in they may not even be entirely network related. Focus on risks that have the most impact on your business, otherwise you will always be chasing your own shadow. Analysis of top risks affecting your business should be a regular process in your ongoing business planning. Get your organization used to the idea that managing information risk is something as natural as planning your budget.