Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Shrinking Budgets Tie Hands of Security Pros

CmdrTaco posted more than 5 years ago | from the plastic-handcuffs-for-everyone dept.

Security 63

An anonymous reader writes "RSA Conference released the results of a recent survey of security professionals regarding the critical security threats and infrastructure issues they currently face, including those exacerbated by the current economic climate. The study indicates that even though practitioners are most concerned about email phishing and securing mobile devices, technologies addressing these needs are at risk of being cut from IT budgets. The survey also asked what technology investments will likely be bypassed or curtailed due to spending freezes and budget cuts."

cancel ×

63 comments

Sorry! There are no comments related to the filter you selected.

first post! (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28836183)

ladies, get your pussies ready!!!

We could start... (0)

Anonymous Coward | more than 5 years ago | (#28836207)

We could start by removing the damn RSA servers from our budget for one thing!

But seriously now, it looks like I will have to cut in half my order of bullets for the double miniguns we have mounted outside our office building.

Re:We could start... (0)

Anonymous Coward | more than 5 years ago | (#28837231)

Times are hard. My company has had to forgo ammo altogether in favour of laser based weapons.

Jews... (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#28836223)

I think you know where this is going.

So, we want to do what's needed, but (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#28836269)

What do we do ?

Budget has always been a problem (5, Insightful)

walmass (67905) | more than 5 years ago | (#28836311)

The survey is reporting something that every single security professional that has managed a budged had known for a long time, even before the recession (except may be the preriod around Y2K)

The sad truth is, at most companies management sees security is an unnecessary cost that they reluctantly tolerate because of SOX and industry regulations like PCI-DSS. They are quick to point out that security does not earn profits (and forget that it actually protects the profits). So the CEO tells the CIO to trim his budget, and given the choice of keeping the servers functioning or users getting phished, the CIO opts for more pressing need. (at 99% of the places, the security function reports to the CIO or CTO but that is for another bitching session)

Then of course something goes wrong, and the security person gets yelled at because s/he did not do his job. So then the coffers open, and the company spends a ton of money that could have been fixed for less at the right time (TJX breach).

The solution lies with security pros: they need to frame their budget requests as business cases: if we do X, we will protect $Y of revenue (Point out that a data breach at company ABC cost them $ZZ). And if management does not fund the budget, have them formally, in writing, accept the risk.

And always keep your resume updated :-)

Re:Budget has always been a problem (2, Funny)

Kurusuki (1049294) | more than 5 years ago | (#28836711)

This is probably the best bit of advice I've seen on ./ in a long while. This one is going is going in my jewels of advice binder. Now the real question, nano or vi.

Security professionals are like managers (0)

Anonymous Coward | more than 5 years ago | (#28836899)

But well, if scenes you described do happen, the security professional wasn't good enough at what he does.

The job isn't only to find out what security risks are. He needs to analyze them: How likely the risk is, how expensive it is to fix, what is the worst thing that happens if it doesn't get fixed. If those analysis are accurate and important and the expert has any authority, he should be able to convince any management to look into the matter or at least make educated decision not to fix it.

If a teacher says that the children just won't understand something, in most cases there is some fault in the teacher and her methods too. If a security expert says that the manager just doesn't understand something, there is usually some fault in the expert too. It is his job to make sure that the manager understands the subject and he can do it if he is given any credibility. If he isn't, he either has already messed up or the company never cared about the subject in the first place.

I'm not saying that the problem is always in the expert. But experts (=people whose responsibility is to explain something to people who don't understand it) often go to the "They just don't listen/understand" very easily.

It is not expert's job to understand something. Nobody else benefits from that knowledge. His job is to make sure others understand the issue.

Re:Security professionals are like managers (3, Insightful)

Anonymous Coward | more than 5 years ago | (#28837069)

There is a great imbalance of power between a security person and the bean counters, and a fundamental difference in attitude to security.

First, you are assuming that the security pro actually gets an opportunity to explain the risks. You'd be surprised how rare that is.

Next: if you do a great job and nothing happens, management actually starts wondering why a security person or department is needed. Lastly, and most importantly as the grand-parent pointed out:
- the dollars are finite.
- if there is an order to cut budget, do you think it will be [a] lay off the windows guy, or [b] lay off the security guy and have the windows guy do some of the security work?

If you pick [a], you don't know how security is viewed by management

Re:Security professionals are like managers (2, Insightful)

PitaBred (632671) | more than 5 years ago | (#28838919)

That old adage is eternally true... "the squeaky wheel gets the grease". The Windows guy that fixes stuff is seen as more valuable than the guy who prevents those things from going wrong in the first place. It's simply a human weakness. Reaction is observable, prevention isn't.

Re:Security professionals are like managers (1)

Haley's Comet (897242) | more than 5 years ago | (#28848317)

That old adage is eternally true... "the squeaky wheel gets the grease". The Windows guy that fixes stuff is seen as more valuable than the guy who prevents those things from going wrong in the first place. It's simply a human weakness. Reaction is observable, prevention isn't.

You should be moded +20 insightful. I work for a living (well below my education) building pools (I love it, actually).

A friend and I run a server together part time. He is a good problem solver, while I am good at avoiding them. I do more work on the server because I read various security related websites and blogs (/. [LOL!!!] cDc, governmentsecurity.org et al... Sorry, my bookmarks are on my work PC). My work on the server is done through a "test box" and then applied after. All my friend's work is done on the real box. Guess who is more "revered" by MGT? Not me, the guy whom prevents 10,000 attacks a month - the guy that fixes one is god there. The reason that they don't fire me, is that they see me as extremely helpful to my friend by reading logs, etc.

Here's the clincher, I got him his job. I taught him what he knows.

Re:Security professionals are like managers (1)

DarkOx (621550) | more than 5 years ago | (#28839791)

Sometime they don't want to understand and they don't want to know. They are not negligent if they did not know, they have insurance against theft. Lots of business might be happier locking the door with a deficient (but not terribly so) and figure on filing an insurance claim if something even happens than with spending $$$ to build the uncrackable system.

When the insurance industry starts doing IT security audits and adjusting rates accordingly you will Management change their minds on security spending.

Security done right can also make life easier... (0)

Anonymous Coward | more than 5 years ago | (#28837205)

cheaper and faster.

Single signon.
Automated OS updates.
Proxied web access.
Centralised system logging.
Sync'd backups.

All make life easier for users and administrators.

So often though, security just seems to get in the way.
 

Re:Budget has always been a problem (1)

shentino (1139071) | more than 5 years ago | (#28847379)

You have a point about the resume.

When tensions get high, setting the IT guys up for a termination justifying failure goes a long way to keeping the budget trimmed of any severance obligations.

Re:Budget has always been a problem (2, Insightful)

SlashWombat (1227578) | more than 5 years ago | (#28849149)

This is also known as "the true cost of using Microsoft Products".

And then there will be a price to pay. (4, Interesting)

Z00L00K (682162) | more than 5 years ago | (#28836397)

When the budget cut has gone far enough to strip down all security, certificates expires, competence leaves ship and nobody really knows how it works anymore. Then the cybercriminals enters the systems and use them for their purposes.

And management sits there looking completely confused because they have cut down on the people knowing how to do security.

Especially bad is it if it's about having a system that handles large amounts of economic transactions and are storing credit card and personal information about a lot of people.

Re:And then there will be a price to pay. (5, Interesting)

Hammer (14284) | more than 5 years ago | (#28836621)

And all of this is because IT never seems to be able to make management understand :
1) Security is not a cost but an insurance.
2) PHB's will never adhere to simple guidelines as to what is safe.
3) The bad guys are out there

Re:And then there will be a price to pay. (0)

Anonymous Coward | more than 5 years ago | (#28841663)

I framed the question in a form of something they can understand.

1. Do you pay for the security alarm system for the building?
2. Do you pay business insurance?

InfoSec is the same thing. It's job is to mitigate risk so you are not the water cooler talk of the country. You are not THAT company that just lost 150,000 social security numbers or your accounting/HR Database/insurance information.

Re:And then there will be a price to pay. (1)

Haley's Comet (897242) | more than 5 years ago | (#28848353)

And all of this is because IT never seems to be able to make management understand no matter how hard they try or what tactics they take:

There, fixed that for ya!

IT Budgets == Bloated (2, Interesting)

Anonymous Coward | more than 5 years ago | (#28836419)

People always seem to think Security is something you can BUY. You can't really 'purchase' security, all you can do is implement policies, and select tools to assist in creating and implementing those policies.

Most of these tools are free [is in beer AND speech].

One can create a secure organization with very little money.

There are a lot of unnecessary IT "expenses", like the latest BS convention ie: VoiceCon, InterOP, etc. Trim the fat from IT, and people will see what can be done for very little money.

Re:IT Budgets == Bloated (2, Interesting)

Seth Kriticos (1227934) | more than 5 years ago | (#28836591)

So you want to tell me that the security consultant/operator that tells how to implement witch security policies, configure firewalls/access control and the trains the staff - can be cut and you get the same for free out of thin air? How exactly do you want to accomplish that one, please share your wisdom!?

Sure, there are BS expenses, but that's a question of getting the right person to do the job.

Re:IT Budgets == Bloated (1)

SCHecklerX (229973) | more than 5 years ago | (#28836697)

EXACTLY. You captured this better than my post below. Thanks! Security isn't a bunch of products, but nobody gets that. In shops lucky enough to have skilled security folk, the security team still buys stuff, because it is mandated by management, not because it is a good solution. In places without the skills, well, you spend money because you are too stupid to know any better. Lose/lose situation.

Re:IT Budgets == Bloated (2, Insightful)

mlts (1038732) | more than 5 years ago | (#28838051)

The trick is finding a security professional who knows this, and is able find the security tools that turn the company's policy, their security needs, and budget into implementable technology. A company can buy every single product sold in SC Magazine and the CISSP magazines. It won't do them much good because even the best security product will not give much protection if not implemented right.

For example, take a high grade HSM (hardware security module). If the admins of it allow everyone and their brother access to the signing key stored on it, or had the key flagged to be exported in an insecure manner, the security that the device provides is minimal.

Communication is key here. The reason why a security professional is a professional is that they have to have the knowledge to take what the client needs, their budget, the regulations the client is operating under, and the contracts of the client's customers and vendors. He or she needs to take that information and do two things: Buy the equipment, and configure it correctly. It's not just knowing all the technical stuff, but knowing how the company functions to put in a complete system that impacts productivity as minimal as possible, but yet provide protection against both known threats and unknown threats (zero days, unexpected threat vectors like compromised printers, etc.)

If there is a limited budget, a security pro has to get with the corporate officers and figure out where most likely attacks will come from. For example, a nontechnical call center has a high threat of physical theft of equipment, so they would be going with physical security, CCTV, enterprise systems to detect case intrusion events, and perhaps some form of encryption on all machines so if a machine or hard disk is stolen, licensed software and CD keys are protected. A credit card processor would be more concerned about network and perhaps social engineering attacks (although physical is still a concern).

Re:IT Budgets == Bloated (1)

Darkness404 (1287218) | more than 5 years ago | (#28836793)

The problem is that you need to keep spending in IT to have enough money to run IT. Generally they cut the budget on you when you don't spend much so IT people are forced to upgrade hardware when it really doesn't need upgraded to have enough cash to spend when you really need to upgrade (server breaks, get a new system that requires new hardware, etc) along with management's love for conferences thinking it will "inspire", leads to a bloated IT budget but with no real way to cut it without losing valuable funds. Some years you may not have to upgrade a single desktop, other years you replace every single computer in the building. But if you don't spend during the non-upgrading year you won't get the funds needed for a smooth transition.

Re:IT Budgets == Bloated (1)

kent_eh (543303) | more than 5 years ago | (#28837077)

Trim the fat from IT, and people will see what can be done for very little money.

Unless you trim so much that the people who know what they are doing also get trimmed.

Can't budget for human stupidity (4, Informative)

oahazmatt (868057) | more than 5 years ago | (#28836437)

We have a very paranoid security department where I work. On top of boot-level encryption, mandatory anti-virus software, various "agents" that try to predict whether or not you would in fact allow some strange program to do what it wants to do, system monitors that make sure everything is up to date and as it should be before you connect to the network, proxies that ban websites with harmful keywords and annoying pop-ups caused by blocking Active-X components, we still get several people throughout the week who report virus infections on their work PCs.

We have people who install Firefox to get around the IE settings so they can visit sites that they know are not permitted. We have people who browse torrent sites and adult sites and are "shocked" when we show them the links in the history. We've had people who blatantly admit "Yeah, I let my kids play on my company issued PC and they find ways around that stuff."

Maybe that's why the security budgets get cut. You can only secure so much until you secure it by locking out the user entirely.

Re:Can't budget for human stupidity (1, Informative)

Anonymous Coward | more than 5 years ago | (#28836553)

This is retarded. Why don't they just whitelist the applications, ActiveX controls, etc. that you are allowed to run. Then they don't need to worry about users (or websites) installing random bits of software. Windows has supported this for a decade.

Re:Can't budget for human stupidity (4, Insightful)

Lord_Frederick (642312) | more than 5 years ago | (#28836681)

If the grandparent's organization is anything like mine, the issue isn't the lack of technical solutions for locking down computers. It's the unwillingness of managers to put their neck on the line and sign off on suggestions like this.

Re:Can't budget for human stupidity (2, Insightful)

Rob Riggs (6418) | more than 5 years ago | (#28837825)

No, it's because everyone else recognizes that the risk is that you end up using the same applications and web sites for a decade. People have to be able to try new stuff. It's a far greater risk to the organization to stagnate. You'll end up with people that are perfectly happy using decades-old software and visiting only internal web sites.

Companies need their employees to take on the risk of trying new applications and web sites without constantly asking for permission. It's a big driver of growth and advancement. For that they are willing to expose themselves to some small risk.

Re:Can't budget for human stupidity (1)

Lord_Frederick (642312) | more than 5 years ago | (#28839841)

I don't think implementing a few basic security practices are going to cause idea stagnation, yet best practices are constantly shot down in favor of sexy monitoring software. I guess it makes sense for a manager. What you would rather put on your resume?

"Implemented 2 million dollar intrusion detection and anti-malware enterprise software solution with staff of security engineers monitoring network traffic 24/7"
OR
"Took the damn users out of the local administrators group."

Re:Can't budget for human stupidity (1)

morgan_greywolf (835522) | more than 5 years ago | (#28836767)

On top of boot-level encryption

A requirement for laptops.

mandatory anti-virus software,

Why not? I wouldn't recommend running any Windows machine without anti-virus software.

various "agents" that try to predict whether or not you would in fact allow some strange program to do what it wants to do

Hmmmm? Like?

we still get several people throughout the week who report virus infections on their work PCs.

Are you surprised? Why?

Re:Can't budget for human stupidity (2, Informative)

MrLogic17 (233498) | more than 5 years ago | (#28837057)

I have mod points, but had to chime in.

This is VERY easy to solve. Don't let your users have admin level accounts. Done.
You will never see virus/mailware installs - because even if users do open up that strangely named attachment, their account doesn't have permissions to install. Ditto for the manager's kids.

Solves a lot of support headaches too. Thee only software they have is software that you've tested, approved, and installed yourself. (via the software deployment method of your choice)

Again, this is all dependedent on getting mamager buy-in. Once you do, life gets very easy.

Re:Can't budget for human stupidity (1)

Volante3192 (953645) | more than 5 years ago | (#28837875)

Again, this is all dependedent on getting manager buy-in.

And therein lies the rub. When the managers want the ability to install their own stuff and have the ability to override any policy I want...

Well, let's just say I'm not surprised that their systems tend to be some of the ugliest ones I have to deal with.

Re:Can't budget for human stupidity (0)

Anonymous Coward | more than 5 years ago | (#28839853)

That only works for Spyware that requires Admin access.
If you have some IE-Exploit which is able to load an executable file which runs with user privileges the user can still have HIS data stolen. Ans since users tend to have access to work-related stuff on the network, this too can get stolen. You can even add an autostart entry for this user with his rights. And lets be honest, most people will not even recognize it. Ive made a mistake with a group policy that would try to map a network share to a drive letter which had already been assigned to another share. It affected around twenty users, and they got an error message once they logged in. I got the first complaint about the error three weeks after putting the policy in place.
Recap: people are stupid, and people dont care. You can whip them as much as you want.

Re:Can't budget for human stupidity (3, Insightful)

Hammer (14284) | more than 5 years ago | (#28837127)

Parnoid and smart ?? Or Just Paranoid?.

Many IT-departments implement mandatory password changes and antivirus
Also common is various filter programs

Automated PW changes are actually counterproductive according to several studies as it makes the selected passwords more predictable. Better to educate users as to what is a good PW

Antivirus is a good thing and should be in place if you use windows

Filters DOES NOT WORK. At least not as intended.

The only thing that works in the long run is education. And harsh punishment :-)

Re:Can't budget for human stupidity (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28837787)

I'm sorry but switching browsers does NOT suddenly allow you to circumvent your proxy server. So no, users are not using Firefox to "visit sites" that they couldn't using IE. That's not what browsers do. This is technology 101. This sounds like someone who doesn't know what they were talking about, posting something they 'heard' from another end user.

Re:Can't budget for human stupidity (0)

Anonymous Coward | more than 5 years ago | (#28843055)

Exactly. Unless the admins have done something seriously daft, like enforce proxy settings in GPO, but not bother to stop outbound non-proxy Internet access.

We use GPOs to set IE proxy settings, but we also stop any Internet access that is not via the proxy. That way, when users install FF/Chrome/Opera, it will not work until they set the proxy settings correctly. And then we get logs/filtering/extra A/V layer, etc.

Re:Can't budget for human stupidity (1)

jp10558 (748604) | more than 5 years ago | (#28866391)

Well, not true. If you have a firewall rule blocking outgoing traffic except via the proxy server then sure, but if you just have IE via Group Policy using the proxy server, then any browser directly connecting to the internet will bypass that... And it IS what browsers do...

Re:Can't budget for human stupidity (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28838629)

Boot level encryption, antivirus software, and "agents" are in themselves not bad. However, misconfigured they can become a nuisance to employees and kill productivity.

Boot level encryption is a must for laptops these days. No company wants to have a front page headline of "unsecured laptop stolen, thieves grab $BIGNUM of users' personal data and put it for sale on the black market." Get a laptop with a TPM chip, and boot level encrypt doesn't even have to ask for a passphrase, as PGP, BitLocker, and a number of other FDE programs support that functionality. Even desktops, it provides mitigation against data theft against people filching machines or yanking hard disks.

Antivirus software is also a must. Even if it detects nothing, its mere presence on machines fulfills a lot of contract obligations.

Finally "agents" can be used for a number of things. In a large company, most PCs need to have some type of software like this for audit trails and intrusion detection. One can even use some programs like LoJack to ensure that data is remotely wiped if a machine is stolen.

Re:Can't budget for human stupidity (0)

Anonymous Coward | more than 5 years ago | (#28839189)

We have a very paranoid security department where I work. On top of boot-level encryption, mandatory anti-virus software, various "agents" that try to predict whether or not you would in fact allow some strange program to do what it wants to do, system monitors that make sure everything is up to date and as it should be before you connect to the network, proxies that ban websites with harmful keywords and annoying pop-ups caused by blocking Active-X components, we still get several people throughout the week who report virus infections on their work PCs.

Stop letting people run Windows with Administrator rights. You do that and your infection rate will go down, guaranteed.

bullshit (3, Insightful)

SCHecklerX (229973) | more than 5 years ago | (#28836519)

It's just that companies would rather buy something than use their highly-skilled security staff. Or maybe their security staff isn't so skilled, and that's why they require the expense of ridiculously expensive canned security software, vs. designing an infrastructure that makes sense and using the best of breed tools for the job mixing open source, in-house, and commercial stuff.

Re:bullshit (1)

mlts (1038732) | more than 5 years ago | (#28840587)

Part of the reason for this is that PHBs are more easily swayed by a smooth talking salesman selling a shiny new appliance that looks good in a rack, as opposed to a desperate IT manager who needs more headcount for admins.

Another reason is that employers in general are averse to hiring people right now. If some security appliance costs $200,000, it is a lot more attractive to the people with the purse strings than a $50,000/year admin. Mainly because of the philosophy of "machines don't get disgruntled" that some business schools teach.

simple things can be done... (2, Informative)

Raleel (30913) | more than 5 years ago | (#28836565)

I have seen a lot of places that insist on buying a "solution" to the problem, when in fact the solution barely touches the problem. it works around a lot of things, but never really hits right on it. So you've spent a lot of money on something that doesn't really do the job of a person in that role.

The funny part about security is that for all it's sex appeal, real security is actually pretty boring. Oh the hotness of configuration management using tools that are already available on the windows or linux box. How your endorphins get moving at the sight of a patched on patch day. Or the sheer porn of being able to look at your log files and know that all is good.

We all love honeypots and whatnot, but those things need to come well after patching, configuration management, removing/pruning user administrative permissions, and controlling which software you allow, and strong authentication enforcement. This doesn't have to cost a lot of money.

Re:simple things can be done... (4, Insightful)

karnal (22275) | more than 5 years ago | (#28836693)

We all love honeypots and whatnot, but those things need to come well after patching, configuration management, removing/pruning user administrative permissions, and controlling which software you allow, and strong authentication enforcement. This doesn't have to cost a lot of money.

Actually, doing all of these things does cost money - you need to have someone hired on that can do all of these things, and you have to pay them a salary.

In the long term, it's not a lot of money. But short term thinking appears to be taking over in this economy. Especially if there's no immediate threat deemed by Management in not having basic safeguards in place.

It's always been about short term thinking (1)

hellfire (86129) | more than 5 years ago | (#28837287)

At least it has been for several decades. The current economy has just made that worse. People are worried that if you have a bad quarter your stock will go in the toilet and kill your company. However, the flip side is getting earnings as best as possible from quarter to quarter, without regard to the fact that if you invest a little more now, you might get a huge windfall 3 years from now.

Security for companies is the same as security for that poor family in the inner city. It would be nice to have a security system to protect them, but there is just no money to spend on it.

budget? (1)

girlintraining (1395911) | more than 5 years ago | (#28836589)

The study indicates that even though practitioners are most concerned about email phishing and securing mobile devices, technologies addressing these needs are at risk of being cut from IT budgets.

A fat budget won't help you buy what you need to fix this problem: Smarter users.

Re:budget? (2, Insightful)

brindleboar (1154019) | more than 5 years ago | (#28836723)

I've been saying something like this for years -- if we could just get rid of those pesky humans, all of our systems would run flawlessly.

Re:budget? (3, Insightful)

Seth Kriticos (1227934) | more than 5 years ago | (#28836759)

Depends on how you see it. Users are dumb, so if you spend your money to train your staff and make them just a tiny bit smarter, then your investment is worth it.

On the other hand, if you search for a purely technical solution, you are borne to fail, there I agree with you.

Sadly management often does not have the foggiest idea on how to allocate resources in a smart way in this area, so I don't expect the situation to improve any-time soon.

Not much insight (1)

bbasgen (165297) | more than 5 years ago | (#28836647)

This article isn't particularly informative, especially in regards to areas where spending will be reduced. This isn't a very effective way to assess the state of security -- to do that it must be within the context of the industry/business, and preferably to IT in general. If budgets are generally being cut by 20%, then the fact that security is doing that is nothing special. Further, budget is only part of the picture: institutional priorities are also very important. How is the allocation of staff time changing? What kind of changes are going on in terms of institutional strategic planning?

Cheaper than the alternative . . . (5, Insightful)

grahamsaa (1287732) | more than 5 years ago | (#28836683)

I'm fortunate to manage an IT department at a company that values security. We do routine audits and pen test our own systems -- occasionally we find a hole, and we fill it. I've never been pressured to skimp on security.

Other commenters may argue that security is not something that companies can "buy," and they're right, to a point. Expensive proprietary firewalls are, in my experience, no better (and sometimes far worse) than a properly configured linux box. But companies do have to "buy" security in the sense that they need to budget time to ensure that systems are properly configured. I can set up a linux firewall in a matter of minutes, but to do it properly (especially when it must allow VPN, SSH, access to multiple databases, limited FTP, etc.) it takes much more time.

If companies realize how much their data is (are?) worth, they should also consider what's at stake if it's stolen or misused. Security doesn't have to be the primary investment for most companies, but it must be a high priority. If it's not, eventually bad things will happen.

Heh (1)

X.25 (255792) | more than 5 years ago | (#28836969)

I wanted to get back to contracting and do some more security work, because I miss it.

I was stunned by the fact that so many companies are now not looking for professionals with low-level experience, like before, but rather for people who have experience in paperwork. ITIL, ISO xxxxx, bla, bla, bla.

It's as if people are not actually DOING security anymore, but are just writing and debating about it.

No wonder they have budget issues, when they don't know what they're doing, so they need to spend lots of money to cover it.

Deja vu.

Re:Heh (1)

mlts (1038732) | more than 5 years ago | (#28838811)

Thanks to Enron and other companies, and the knee-jerk regulations put into place after that like Sarbanes Oxley, a security person has to be familar with all these laws, like ISO 9000, ISO 10000, PCI-DSS.

Yes, you will be doing tons of TPM reports to ensure that the company is compliant, but if a company doesn't have the CYA papers, and something happens, there is a chance of prople facing prison time, and shareholders suing.

Its just how the game has changed. Locksmiths used to forge custom locks out of metal, now they use existing technology to suit a customer's needs with master key lists.

Not just security pros... (4, Interesting)

Anonymous Coward | more than 5 years ago | (#28836983)

In June of this year, my employers had a major business continuity scenario - an electrical fault with the UPS took out a lot of desktops, several servers and most of our network connectivity on one phase. This was at 6PM on a Friday. Not only is it incredibly hard to get your standard suppliers to ship any replacement gear for the following day on a weekend, its incredibly hard to actually get to talk to anyone! Now, I only recently took over the infrastructure management role, and one of my first goals was to put into place a proper Business Continuity plan. We have alternative premises with a major continuity provider on contract, but we have no plan and our actual capacity requirement now far exceeds what it was when the original alternative premises arrangement was put in place.

When this event happened, we were in a very touch and go situation - we did not know if we could recover the business for opening on Monday. And we are extremely IT reliant!

To cut a long story short - through putting in a lot of extra hours that weekend, and a lot of travelling to various IT shops within a 50 mile radius, we managed to get the business back to the point where we could open on the Monday without visible issue.

When that event happened, my BCM plan had been on the desks of the company leadership for a month. After that event, it got bumped up to the next board meeting. And at that board meeting, the entire plan was indefinitely postponed due to funding. No intermediate plan was asked for, no alternative. The plan had several different levels of expenditure to choose from, and they ignored all of them.

Barely one month after a 'can we continue to run the business' situation, the board rejected the plan which would have made that situation a non-issue, even at the cheapest option.

I now have several interviews elsewhere. The sooner I can get out of here, the better.

Posted anonymously for obvious reasons.

Re:Not just security pros... (2, Interesting)

Anonymous Coward | more than 5 years ago | (#28840343)

I, too, feel your pain.

I used to work at a healthcare IT company. They had a legal requirement to have a Disaster Recovery Plan and a Business Continuity Plan, because if they were unavailable, it could impact the safety of tens of thousands of people. You know, life or death stuff.

They were also contractually obligated to to have a few other odds and ends, such as security and privacy staff, centrally managed anti-virus, configuration control, change management, security training, incident response, etc, etc, etc.

Well, they don't. Lies and more lies, smoke and mirrors, and so forth. As a security professional, it just chills me to the bone. Why the government isn't auditing them and throwing the corporate officers into jail is a mystery.

My advice: No matter how much your medical practioner argues about the benefits of going digital with your record, insist that a paper backup be made and available. It could very well save your life.

Likewise, posted anonymously for obvious reasons.

Re:Not just security pros... (1)

khchung (462899) | more than 5 years ago | (#28844671)

through putting in a lot of extra hours that weekend, and a lot of travelling to various IT shops within a 50 mile radius, we managed to get the business back to the point where we could open on the Monday without visible issue. ...

the board rejected the plan which would have made that situation a non-issue, even at the cheapest option.

(emphasis mine)

Did you realize you have just shown to your board that, through your own heroic efforts, that they don't need your plan and can still recover from such failures!

Now, can you tell me why a sensible business person would want to spend more money to on a contingency plan where they know they can already recover from without spending a dime?

I've seen this cycle before (3, Interesting)

WheelDweller (108946) | more than 5 years ago | (#28837021)

No one has enough money in the budget for security, until a break-in nearly disables them. What are the chances? (Fire your security staff, and find out!)

Similarly, making copies of Windows to deploy on your business floor and ask "what are the chances?" and you'll find out. *I*didn't*call*, but a year or so after I left, I was told the company trying to get ME to pirate Microsoft Windows 98 got a visit from the BSA. And as you all know, they don't leave without a fire alarm being pulled or a $100,000 check.

When the budget thins, you cut extras; security isn't an extra. Though, putting Ubuntu on your Windows boxes will save you some real cash. And help security.

Re:I've seen this cycle before (3, Insightful)

mlts (1038732) | more than 5 years ago | (#28840491)

In a recession, security is the last thing a business should cut.

The unemployment rate is high. This means that people who wouldn't think of things in normal times would turn to other means to supplement their income to keep a roof over their family's heads. So, someone who would normally give the finger to someone overseas asking for brief use of a username/password for $500 would happily give it in these times in order to keep the repo man away for another month.

More criminal organizations (domestic and overseas) realize there are profits to be made in capturing data stolen laptops for not just hardware, but the data on the machine. The data can be sold, or used to blackmail or extortion.

Employees are more likely to be disgruntled due to layoffs and cutbacks. So, vandalism and outright internal theft is on the rise.

There are a lot more regulations than before that make companies face shareholder lawsuits and corporate officers face prison time should a major breach occurs and a breach in process found.

Software CD keys are worth money, and a divulged volume CD key can force a company to re-buy every single license of a product as per EULA stipulations.

Outside attacks are more and more sophisticated as time goes on. To use an auto analogy, car companies are not using the same disc cylinder used on autos in the 1950s; they have moved to sidewinder cuts and "laser cut" keys. Same with security. A company has to keep abreast of new threats as a matter of life, just as CCTV cameras and bump-resistant locks on the doors are now the standard.

What a LINE OF ABSOLUTE HORSESHIT... apk (0)

Anonymous Coward | more than 5 years ago | (#28841319)

"Though, putting Ubuntu on your Windows boxes will save you some real cash. And help security." - by WheelDweller (108946) on Monday July 27, @10:38AM (#28837021)

You're trying to make it sound as if "Linux is the 'holy grail of security'", & it's not (because the link below shows, it is clearly, not - not how it is setup, by default, & Bert64, a user here, illustrated that plainly enough, because I used HIS results on Linux in fact, in said guide below)

So - that all "said & aside"? Well... no OS is perfectly "security-hardened", @ least "as is", from the oem & as they are shipped to BOTH typical "end users" OR corporate bodies... period!

(Which is WHY you all have to ask yourselves "Why has MS shipped the United States Military 'security-hardened' versions of its Windows OS', & not the rest of us?", because MS HAS, 2x now that I am aware of @ least, in 2004, & recently again, THIS YEAR...)

Want THAT kind of security on a Windows rig? It's doable, & QUITE EASILY, via a good tool that guides folks for it, via a checklist of "industry best practices", & 1 that makes it as simple as running a PC benchmark for performance gauging really, per this:

----

HOW TO SECURE Windows 2000/XP/Server 2003, & yes, even VISTA (& it's descendants), + make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=aeba48c4aeccd4a426f664b5db5574e8&showtopic=2662 [tcmagazine.com]

----

Results? Ok:

http://www.xtremepccentral.com/forums/showthread.php?s=b38271cfc7ef82deafc78e2e2ef23a0f&t=28430&page=3 [xtremepccentral.com]

----

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" THRONKA user @ xtremepccentral.com

----

All with MOSTLY "native tools" already in your OS', or webbrowsers (the MAIN 'disease vector', via javascript especially (THIS NEEDS REVISION THE MOST, where is that EMCA script already, in other words?))... &, some 'good practices' to adopt, on the part of end users, which CAN make ALL THE DIFFERENCE, period.

APK

P.S.=> No, there is NO EXCUSE for laziness - & budget conservation's just FINE, that is, until you are hit by a security breach, & then you face lawsuits galore, for negligence... think about THAT much, CIOs/CTO's... apk

Re:I've seen this cycle before (0)

Anonymous Coward | more than 5 years ago | (#28846363)

It is good you left before the BSA came, because having the BSA take down a company on someone's watch is really bad for the career. Next to security, its not uncommon for companies to consider cutting costs by running unlicensed software. Of course, it just takes one disgruntled employee or ex-employee to send an anonymous tip to the BSA, and they will be finding every single unlicensed package, down to the unregistered copy of WinRAR on the laptops. If you turn the BSA guys away, they will be back in hours, but with the county constable and their request has become a legal motion of discovery.

Of course, they will be happy to settle... and the amount will be far, far higher than not just license compliance, but re-buying every single commercial licensed product a company has.

Oh, and they don't care at all about license keys or proofs of ownerships. They want to see copies of invoices with the number of seats. Nothing else is going to work.

This, I know firsthand at one place I worked at. Someone got fired (who IMHO deserved it). Next week the BSA was knocking on IT's door. Thankfully, there was an audit system in place so it was not difficult to show them the file full of invoices from CDW, and then the output on all boxes in the company of whatever was installed on the whole place. Not only did the BSA guys not have to make an offer the company couldn't refuse, but they actually apologized for wasting time. Proactively, it was a bit of work. I made sure to have a paper file, and even buy licenses for products that nobody in the business uses as part of daily use, but do appear on laptops (WinRAR, Nero, WinZIP, Alcohol 120%). However, not having to pay big bucks to the guys with the suits and evidence cases made it worth it.

Stupid Article (1)

sgt scrub (869860) | more than 5 years ago | (#28837843)

Everyone knows that computer security is provided by AntiBaddness software that magically cleans all badness from your computers. Money is much better spent on applications that look pretty.

Maybe ... (1)

Sun.Jedi (1280674) | more than 5 years ago | (#28839553)

Infosec has jumped the shark.

- There are too many nitwits in the community. So much money has been wasted on the posers.
- Premium capital for "the best protection" (which is still vulnerable) vs. moderate capitol and common sense (which is still vulnerable). The latter wins in this economy.
- Don't play the TJX card, either... their stock went up, their customers numbers have risen; no one cares about that breach (or no one cares thats been LOUD enough). If the bottom line wasn't really affected that much over that breach and exposure, its simple to understand why bean-counters moderate infosec purchases in the name of profit.
- the biggest problem is the users. And nothing infosec does will stop stupid people from being stupid.

Its difficult to counter the above perceptions, regardless if the perception is right or wrong. I don't think it will get much easier to counter those perceptions.

'Bout damn time (1)

nhytefall (1415959) | more than 5 years ago | (#28844435)

Sorry... but it is about damn time. Security has gotten this halo around it, where those of lackluster abilities are setting the directions of company business based on the model of "OMG, a Bear!", while those of us analysts that actually produce information and analytics crucial to the company's success are sitting in the unemployment line. Too often have I seen developmental work that would introduce efficiencies into the organization blocked a security analyst who hasn't the first clue about the work I do. That, and too many of the folks I fired end-ran the non-compete and conflict of interest policies to get somewhere they won't get fired from, because they are "security".
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>