This article in GSN caught my attention on the proposed IT budget numbers released by OMB (Office of Management and Budgets). The 10% spending on cyber-security may seem surprising to some, especially when compared to an average 8% of IT spend in the commercial sector across North America and Europe. As many of us have seen stagnation in our security budgets, the US government has increased its cyber-security budget by a whopping 73% since 2004. The media has picked up on things such as DOT (Department of Transportation) more than doubling its budget while DHS (Department of Homeland Security) had less than a 5% increase, they don’t have their priorities right or that we should fund federal agencies based on how well they do on FISMA. These numbers may seem a little out of whack, but here is why I think the US government is headed in the right direction.
It is astounding, and in the words of Societe Generale's chairman and chief executive, Daniel Bouton “unbelievable” that a person could single-handedly circumvent the security of France’s second largest bank to cause so much damage. This event brings to bear what security professionals have been saying for years – focus on the insider threat. Mr. Kerviel cost the bank $7.2 billion by making huge unauthorized trades that he hid for months by allegedly hacking into the computers of the bank and creating fraudulent transactions to hide his tracks. The combined trading positions he built up totaled some €50 billion, or $73 billion. While this level of exposure going unnoticed boggles the mind, none of it could have happened without a fundamental failure of information security controls.
Here are ten lessons for us security folks to pass on to our executive teams.
Many financial indicators are pointing to a looming global recession. This means that companies will be tightening their belts and drastically cutting down on their discretionary spending. What does this mean for information security industry? And what can CISOs do to recession proof their security programs?
This means leaner security organizations (yes that means lay offs), significantly reduced spending on security consultants and contractors, and squeezing the most out of every buck that is spent for information security. This would also mean longer sales cycles for security vendors, cost taking precedence over functionality. From a CISO perspective, it means more justification for security budgets, begging other parts of the business to fund security projects, and pushing existing vendors to provide more for the same amount of dollars.