Putting the ROI debate aside, these are tough economic times. Assuming we can all stay employed, we might be able to work the situation to our advantage. Nothing motivates management like a financial argument. See if one or more of the following might work to your advantage, because of the downturn.
- Promote centralization and consolidation. The more large organizations I've joined, consulted for, or met, the more I see that successful ones have centralized, consolidated security teams. There's simply not enough skilled security personnel to protect us, and spreading the talent across large organizations leaves too many gaps. Think of the pockets of talent distributed across your own company, and how their skills could be applied organization-wide if properly positioned. If head counts are threatened, make a play for creating a single central group that helps the whole company and bring the best talent into that team.
- Convert business security leaders into local experts/consultants. If you work within a large company, your individual business leaders may not like seeing their local staff join a larger company-wide organization. However, those that remain in the business should now be free to focus on what is unique about their business, instead of the minutiae of managing anti-virus, firewalls, patches, and other "traditional" security measures that are absolutely vanilla functions which could be outsourced overseas in a heartbeat. What's more valuable, a security leader who can run an AV console, configure a firewall, and apply a patch, or one who can advise their business CEO on the risks, regulations, and realities of operating in their individual realm? Notice I said leader and not technician. Technicians do the routine tasks I mentioned and are ripe for outsourcing; don't cling to that role unless you wanted to be replaced by a Perl script.
- Advocate standardization where it makes sense. For example, is it really necessary to have more than one "gold image" for your common desktop/laptop user? Why develop your own image when the Federal government is doing all the work for you with the Federal Desktop Core Configuration? Turn the team that creates your own image into a much smaller one that tweaks the FDCC, and redeploy the personnel where you need them.
- Cut through bureaucracy and authority barriers with a financial knife. This one really bugs me. How many incident responders out there lose time, effectiveness, and data because 1) you don't know who owns a victim computer; 2) finding someone who owns the computer takes time; 3) getting permission to do something about the victim requires more time? You can probably make a case for reduced help desk costs, fewer support personnel, and faster/more accurate/cheaper incident response if you gain the authority to perform remote live response and/or forensics on any platform required, minus some accepted and reasonable exclusion list. This requires 1) good inventory management; 2) forensic agent pre-deployment or administrator credentials to deploy and agent or scripts as necessary; and 3) mature processes and trained people to execute.
- Simplify and build visibility in. An example comes from my post Feds Plan to Reduce, Then Monitor. What's cheaper than 1) identifying all your gateways; 2) devising a plan to reduce that number; and 3) building visibility in? Step 1 takes some effort, step 2 might strain your network architects, and step 3 could require new monitoring platforms. However, when done, you're spending less money on gateways, less time scoping intrusions, and less resources on scrambling during incident response because you know all the ways in and out of your organization -- and you can see what is happening. This is a no-brainer.
- Move data, not people. This is the principle I mentioned in Green Security. I'm sure your travel budget is being cut. Why fly a security person around the world when, if you achieve the goals in step 4, you can move the data instead? And, if you're building visibility in, you have more data available and don't need to scramble for it.
- Wrap everything in metrics. This one is probably the most painful, but it's definitely necessary. If you can't justify your security spending, you're more likely to be cut in a downturn. This doesn't mean "security ROI." What is does mean is showing why your approach is better than the alternatives, with "better" usually meaning (but not always) "cheaper." It can be difficult to capture finances in our field, but I have some ideas. One is intrusion debt. If you've recently hired any outside consultants to assist with security work, their invoices provide a ton of metrics opportunities. (You have a tangible cost that you wish to avoid by taking steps X, Y, and Z in the future.) Metrics can also justify team growth, which is the next step out of the downturn. Be ready!
If you have any ideas, please post them here. I think this is an important topic. Thank you.
Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.