Out with the old, in with the new.
Ah, I love the freshness of a new year—the hope, the potential, the resolutions ... and of course, the phone calls and email from vendors who are celebrating the turn of the fiscal year by checking in with you to see if you have any new money you can give them.
If you’re lucky enough to be in a shop where you already have a lot of security infra in place, there comes a time when you need to sit down and think about refreshing it all. And given that consolidation in our industry has taken on the mating frenzy of a Parisian sex club, it can get really confusing to try to figure out what to buy as a potential replacement for anything.
Rule number one: don’t think in terms of boxes or products. “Let’s see, we have one AV, four firewalls, two WAFs, one MARS, and three pairs of ... hey, where did these Jimmy Choo authentication tokens come from?” If you’re still thinking in terms of a firewall, you’re going to go out to shop for another firewall, and you may be confused to find out that there isn’t any such thing that you can buy as a standalone any more. On the other hand, you shouldn’t think of things in terms of UTM suites either: “I’ll take a McAfee and that should cover everything except ... um ... the F5. I think.”
Let’s start at the top and look at overall security management strategy. There are plenty of things you can do to address security risk that don’t require procurements or even necessarily tools. You can (and should) spend a goodly amount of time shoring up your management processes, your policies, and your architectural design. Rigor is half the battle for security. Auditing isn’t fun, but you gotta do it, and that means talking to the business. Training, if you do it in-house, is also “free” (and by that, I mean “costs only your FTE time”).
So your overall security program should be functionally categorized, and this could be as simple as dividing things into prevention, detection and response. Underneath that, when you list your initiatives, you can break out which ones are going to require more manpower or other expenditures, and that will go into your functionally aligned budget. (I do a line-item budget too, because I have to, but I map it back to security functions in another tab on the spreadsheet.) For example, some of the categories I use are “maintain compliance,” “maintain security infrastructure,” “training,” “remediation,” “new compliance,” and “incident response.” Use whatever speaks to your management in the best way and describes to them what you’re really doing.
For “remediation,” for example, you might have a list of initiatives ranging from cleaning up your firewall rules to patching up servers, rewriting an application, or putting in a function that you never had before, such as monitoring web application traffic. If you want to get really fancy, you can add values to these that describe their contribution to the mitigation of your risk. Once you and your bosses agree that this is what you should be doing, THEN you can go look at what help you need—this may include consultants, software or fancy new boxen. But at this point, when you go shopping, you’ll know what functionality you need and can evaluate the market offerings based on that, not on product reviews from Geekworld Magazine.
After you’ve mapped out what functionality you need against the products you need to buy, THEN—and only then—should you haul out the Spear and Magic Quadrant to see if analysts think the vendor you picked is really All That or if you missed someone you really ought to look at.
The advantage to this approach is that when your bosses come along with a budget cut, you can lay out exactly which functions are not going to get done, or will be partially done, if all you’re left with are the warm bodies in their cubicles. You might be surprised—your heart might just go on.
Posted by shrdlu on Wednesday, December 10, 2008
(0) Comments • Permalink •
