5 WAYS TO SQUANDER YOUR INFORMATION SECURITY BUDGET
1) Buy security products based on vendor hype.
Most off-the-shelf security products are marketed as magic solutions to the latest security threats. The vendors would have you believe that all it takes to protect yourself from an array of menacing buzzwords is to buy their (expensive) appliance, plug it into your network, and never worry about it again. Problem solved! Unfortunately, things work out differently in practice. Some of these products are simply ineffective.
Others only address the easy parts of the problem, and leave the hard parts for you to solve. Vendor marketing materials typically don’t mention that their solutions only reach their full potential if you have a team of trained experts on hand to configure and run them. The likely outcome of an uninformed purchase is a security appliance that:
(a) Gathers dust in a storage room somewhere,
(b) Produces so much unintelligible output that everyone stops paying attention,
(c) Sits silently on the network providing nothing but a false sense of security.
2) Overspend on regulatory and standards compliance.
With information security requirements figuring prominently in many government standards and industry regulations, compliance has become an industry unto itself. Business is booming for auditors and certification bodies. Ticking off all the boxes on the compliance checklist can get awfully expensive. Yet, there is ample evidence that compliance does not equal security. It is entirely possible to have strong security practices and be non-compliant. It is also entirely possible to pass a compliance audit and have huge organizational security gaps. A rule worth keeping in mind is that the less you spend on the administrative aspects of compliance, the more you can spend on actually improving your security posture.
3) Pay too much for consultants who run simple vulnerability scans.
There are plenty of good reasons to hire consultants. Your internal staff may be too busy, lack the specialized knowledge required for a certain project, or you may be looking for an independent, objective assessment of your current state. In security, as in any highly specialized field, it can be difficult to determine whether you are getting your money’s worth. For every reputable professional who delivers first-rate work at a fair price, there are a dozen charlatans. They will charge you thousands of dollars to run point-and-click network scanning tools and regurgitate the resulting output without verifying that the findings are real or explaining what it all means to your business. When the standard is set so low, you might as well have your own technical folks run the scanning tools for themselves.
4) Conduct lots of risk assessments, but don’t do anything about the risks.
The easiest part of information security management is finding vulnerabilities and identifying potential security risks. The most difficult part is prioritizing these risks, getting effective remediation efforts underway and seeing them through to completion. Are you spending the majority of your time and money on adding to your already unmanageable risk registry? Do you feel like your ship is taking on water faster than you can bail it out? If so, then step off the hamster wheel of pain, and focus on doing something about the risks you already know about.
5) Ignore the human side of security.
Nothing defines misguided security management better than a multi-million dollar implementation of a high-tech security measure that fails to acknowledge basic facts about human nature. As history shows time and again, people are inherently lazy, have an uncanny ability to work around any obstacles that are put in their path in the name of security, and are easily persuaded to do things they really shouldn’t. Does your proposed authentication system with fool-proof encryption technology require untrained users to jump through hoops in order to get their work done? Chances are it won’t help no matter how many bits in length the encryption keys are. Save yourself the money and embarrassment by opting for a less flashy approach that is more in tune with reality.
Author:Jacob Gajek, CISSP-ISSMP, Senior Information Security Analyst @ eSentire
Zack Edris