Increased security budgets are usually a sign that senior management and budgeters agree there may be an increased priority for security issues. But this begs the question: for what security programs are these funds actually intended? It is difficult to tell from aggregate budget numbers how these budget increases are being applied or what consequent impact they will have on federal information security systems.
As noted, the DOT alone accounted for this lion’s share of this year’s increases, but that increase is not in any way explicitly related to the relative security posture of DOT’s IT environment. It takes a search through the esoterica of DOT’s budget line items to identify what security priorities are being addressed, and they do not appear at a glance to be related to current federal ISS mandates, such as FISMA or HSPD-12.
Partly to address this problem, a new Line of Business (LOB) was added to the federal IT budget last year: the Information Systems Security LOB. But OMB itself has yet to work out how to identify systems security spending in the departments that should be allocated to the ISS LOB, so it is still too early to try and assess federal security spending and security posture improvements. But one hopes the OMB’s establishing the ISS LOB portends more coherent budgeting of security investments in the future.
This article in GSN caught my attention on the proposed IT budget numbers released by OMB (Office of Management and Budgets). The 10% spending on cyber-security may seem surprising to some, especially when compared to an average 8% of IT spend in the commercial sector across North America and Europe. As many of us have seen stagnation in our security budgets, the US government has increased its cyber-security budget by a whopping 73% since 2004. The media has picked up on things such as DOT (Department of Transportation) more than doubling its budget while DHS (Department of Homeland Security) had less than a 5% increase, they don’t have their priorities right or that we should fund federal agencies based on how well they do on FISMA. These numbers may seem a little out of whack, but here is why I think the US government is headed in the right direction.
I'm no big fan of overly complex approaches to risk management, and recent economic events have made me even less so.
There was a great article in the Economist about a conference for the American Securitization Forum - the wonderful people that brought us all these complex debt products that are giving banks no end of bellyache. Ironically the conference was held in Las Vegas, and a wonderful quote came from hedge fund manager John Devaney, who said "I'd like to thank the market for dealing me a direct hit. As a trader if you don't get sucker-punched every once in a while, you don't understand what risk is."
Also, there were a few good articles last week about how money managers had retreated from the market because they'd lost faith in the ability to model risk effectively.
If only it were so easy for information risk professionals, who often protect far more than just money - we protect innovation, national security, and even human life in some cases. It's not quite so easy for us to take a direct hit.
It has been a busy few weeks of news for whistleblowers. Earlier this month, former Merck sales manager H. Dean Steinke was awarded $68 million of the roughly $400 million recovered by states and federal agencies when the company settled a lawsuit he brought against it seven years ago. (This was part of a larger $671 million Merck paid to settle complaints of overcharging government health plans and offering inappropriate incentives to doctors to prescribe its products.)
While a number of whistleblowers have been lauded by the press over the years, Steinke’s $68 million presents the possibility of more tangible incentives to those aspiring to expose corporate crimes. Other recent, related news includes:
- Court extends SOX whistleblower protection. Last week, a US District Court judge in New York found that whistleblower protection under the Sarbanes-Oxley Act applies to employees outside the United States, helping empower virtual armies of international employees that may have something to report.
It is astounding, and in the words of Societe Generale's chairman and chief executive, Daniel Bouton “unbelievable” that a person could single-handedly circumvent the security of France’s second largest bank to cause so much damage. This event brings to bear what security professionals have been saying for years – focus on the insider threat. Mr. Kerviel cost the bank $7.2 billion by making huge unauthorized trades that he hid for months by allegedly hacking into the computers of the bank and creating fraudulent transactions to hide his tracks. The combined trading positions he built up totaled some €50 billion, or $73 billion. While this level of exposure going unnoticed boggles the mind, none of it could have happened without a fundamental failure of information security controls.
Here are ten lessons for us security folks to pass on to our executive teams.
OK, for arguments’ sake let's suppose we’re in a recession. What does that really mean for us security folks?
To answer that question, let’s turn the question on its head. What did security spending look like when times were pretty good? Say from early 2005 to 2007 for example - did we see an upturn in spending? Our research found that security spending was flat or declining as a proportion of overall IT spending during that period. So then why, when the economy goes south would we spend less on security?
The vast majority of organizations spend money to counter threats and incidents that they’re seeing, and to comply with governmental and contractual requirements. Neither of these two factors are hugely dependent on economic cycles.
Many financial indicators are pointing to a looming global recession. This means that companies will be tightening their belts and drastically cutting down on their discretionary spending. What does this mean for information security industry? And what can CISOs do to recession proof their security programs?
This means leaner security organizations (yes that means lay offs), significantly reduced spending on security consultants and contractors, and squeezing the most out of every buck that is spent for information security. This would also mean longer sales cycles for security vendors, cost taking precedence over functionality. From a CISO perspective, it means more justification for security budgets, begging other parts of the business to fund security projects, and pushing existing vendors to provide more for the same amount of dollars.
It’s official, the future of information management and infrastructure is software as a service (SaaS). Today, Dell announced its intent to acquire the powerhouse in email continuity and archiving, MessageOne. This acquisition will give Dell the cornerstone that it needs to build out its own suite of SaaS offerings. Dell clearly didn’t want to be left out of race as it watched Iron Mountain successfully building out its SaaS offerings and watched its competitors and partners complete significant acquisitions in the market including Seagate Services’ acquisition of Evault, EMC’s acquisition of Mozy and IBM’s recent acquisition of Arsenal Digital Solutions. Then there’s Symantec who is building out its Symantec Protection Network.
With Google, IBM, Microsoft, VeriSign, and Yahoo! joining the OpenID Foundation, we may actually feel that something in federated access management is going to change. It is finally not the case of a vendor proposing a new standard – and adding to the cacophony of federation standards – but a set of moves towards a simple technology that today can alleviate password management woes at service providers.
Technology aside, OpenID will greatly help with reducing and removing the legal obstacles in the way of identity federation’s proliferation. When payment-grade, commercial, and trusted identity provider service becomes a reality – VeriSign’s joining the OpenID camp clearly points in that direction – and software-as-a-service companies (like salesforce.com), accept OpenID authentication from these trusted identity providers, then enterprises can truly start thinking about outsourcing password management identity management processes. When required, strong authentication integration with OpenID can rely on VerSign’s VIP or other vendors’ strong authentication acceptance network.