The Daily Incite - 10/16/08 - Tightening the Belt

Submitted by Mike Rothman on Thu, 2008-10-16 06:05.
::
Today's Daily Incite

October 16, 2008 - Volume 3, #83

Good Morning:
I guess we never learn. Given that this week a bunch of the tech world is in Orlando watching the Big G pontificate, it's also time to start considering budgets for CY 2009. The G thinks that mostly IT budgets will be flat, worst case down a couple of percentage points. And even better (for you and for me) is that security and compliance will trend flat to up a bit. I think I saw that Goldman echoed those sentiments about security spending as well. Let's hope they are right. What's wrong with this guy?

But let's remember that hope is not a strategy. Given this is budget season, you MUST do at least two versions of your plan. The first is the "hope" scenario. Let's say budgets are what you've been told, and you can maybe do the projects you think are important. Again, we hope this will be the situation that comes to pass.

But we can't guarantee that will be the case, especially as the true depth of the economic malaise starts to set in. So you also need to spend some time focused on a "Pragmatic" scenario. This is, if not the worst case, than a pretty sour one. How can you tighten the belt and optimize spend in 2009?

What projects absolutely, positively need to get done - or else you put the organization at serious risk? Those are the one's you still need to do and those are the budget funds you need to fight for. As you all know, I'm not really a fan of trying to determine ROI for security, but you can certainly take a cost avoidance path.

My point is that we all need to fasten our seatbelts. Things are going to be a bit turbulent for a while. Smart companies invest in the right stuff during a downturn. Unfortunately not too many companies are smart. Thus, we need to do our contingency planning and figure out what projects we'll go to the wall to protect. If the project doesn't help you avoid costs, it's probably not going to fly. In a downturn, growth aspirations typically fall in favor of strategies to keep the lights on.

Have a great weekend. 

Photo: "Tim is Already Skinny, But He Wants a Super-Skinny Belly" originally uploaded by gut_squeezer

Technorati: , , ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4U

Please be patient as I evolve the format of TDI to something that will work, given I can spend a lot less time on it during the week. Having a day job kind of puts a crimp on these fun, little hobbies. Today I'm going to try a hybrid format. Let me know if you think it sucks.

  1. It's all about getting leverage. One of the features in this month's Information Security Mag is how to focus compliance efforts that that you aren't doing the same thing 5 times. It's all about figuring out what controls can be mapped across the various regulations that are in play for each organization. Thus, as opposed to meandering through the day and playing whack-an-auditor (as opposed to whack-a-mole), you need to strategically take a look at your regulations and your control set and figure out what matches. And yes there are tools that can help with this (shameless plug).
  2. Would somebody please give Rob Enderle a clue? Listen, like a certain Alaskan that is in the news all the time, I'm sure he's very good at his day job. But in talking about security, he's just out of his depth. He regurgitates an EMC/RSA report on botnets almost verbatim and feign fear. Dude, this is a security persons life EVERY SINGLE DAY, not just when IBM or HP don't have anything important going on that day.
  3. What will happen to emerging markets in a downturn? Rich and Adrian ponder the future of database security in these dueling posts. As usual, company's that don't execute well (and execution includes not just solving the customer problem, but also building a company that deliver the solution to the market) will go away. The one's that do will remain. And it's not as simple as it sounds. Managing the burn rate is critical. I heard something about cash being a king at some point. Well it is. Clearly databases need to be secured, but we probably (as an industry) don't need 20+ companies trying to do it. So the economic downturn will separate the wheat from the chaff in a more brutal, Darwinian fashion than an up market. But the end result is always the same. Big is the New Small. It's just going to happen faster.
  4. Will eliminating administrator rights improve your security? Of course it will, but it's also hard to do. Dave Kearns examines some of the ramifications of this kind of least privilege philosophy and even points to a new ebook that focuses on it. Again, nothing is a panacea, but making sure the receptionist doesn't have admin rights to their machine is a start.
  5. Secure Computing learns how to spell SCADA, rolling out some control system-specific signatures for Sidewinder (can I use more alliteration, please). Now your friendly neighborhood power company can feel important too.
  6. Holy crap! Two years later Symantec figures it's time to actually integrate all the stuff they've bought over the past few years. It's a "work in progress" and they are calling it the "open collaborative architecture" and that sounds more like a hope than a strategy or a project. As in, they hope it will be open and they hope it will be collaborative. Maybe then customers will finally understand why all those deals were good for them.
  7. Following up on my rant about tightening the belt, let me point to a not so new post on BlogInfoSec from Warren Axelrod that has a few pointers of what to focus on in a crisis. It's mostly a 101 level class, and it's correct to focus on the blocking and tackling that tends to get neglected in an environment when things are moving very quickly on a lot of fronts.
  8. Speaking of blocking and tackling, RSnake address the issue of what really will kill you. I guess we need to do a little planning to make sure a crane doesn't fall on our heads, but in reality it will be a lifetime of not taking care of yourself that usually does you in. Let's hope that's not for a while, but all the same, it's the "mundane" that is usually responsible for the big breaches. Grumpy Pete takes a bit of issue with RSnake's position, and my belief is that the truth is in the middle. I certainly come across people who worry far too much about the edge cases. Yet, I also see a lot of folks that don't even understand the simple stuff, so there is no way they are going to get there. And the reality is that it doesn't really matter what gets you, we're all dead in the end.

Post new comment

The content of this field is kept private and will not be shown publicly.

More information about formatting options