Full Report
A recent report from Piper Jaffray found that 75% of companies expected to increase their IT security spending in 2015, following a year of high-profile hacks and data breaches in 2014.
Analysis Summary
# Best Practices: Optimizing IT Security Spending and Strategy
## Overview
These practices address how organizations can strategically allocate their IT security spending, focusing on high-impact, cost-effective measures such as employee education, policy tightening, risk assessment, and judicious software selection, rather than engaging in panic buying.
## Key Recommendations
### Immediate Actions
1. **Mandate Employee Security Training:** Immediately reinforce training for all staff on recognizing security threats, the critical importance of timely software updates, and the use of strong, frequently changed passwords.
2. **Address Mobile Threat Vector:** Explicitly train employees that mobile access presents a significant security threat and ensure security policies reflect this reality.
3. **Disable Unnecessary USB Ports:** Implement controls to disable physical USB ports on devices where feasible to prevent unauthorized data transfer or malware introduction.
### Short-term Improvements (1-3 months)
1. **Update Security Policies for Modern Infrastructure:** Review and update existing security policies to accurately reflect current technology usage, specifically addressing cloud storage, off-premises enterprise software, and increased tablet/mobile device usage.
2. **Enforce Strict Access Control (Least Privilege):** Review and restrict data access rights. Ensure that only personnel who critically require access to specific data sets have it, avoiding over-centralization of control even among senior IT staff.
3. **Implement Data Access Monitoring:** Deploy systems or processes to actively track and log who accesses sensitive data assets.
4. **Restrict User Configuration Changes:** Prohibit end-users from altering security settings on their company-issued devices.
### Long-term Strategy (3+ months)
1. **Conduct Thorough Risk Assessment:** Engage security consultants to perform an in-depth assessment that identifies the highest-risk areas within the business that require the most robust security investment, preventing overspending on low-risk assets.
2. **Develop Response Policy Based on Vulnerability:** Use the risk assessment findings to develop a proactive incident response and vulnerability reduction policy, saving costs during actual security incidents.
3. **Evaluate Open-Source Alternatives:** Strategically assess high-cost proprietary software solutions against reliable open-source alternatives (e.g., CRM, CMS, bookkeeping) to reduce licensing fees and potentially minimize hacker targeting, provided internal expertise can manage patching and maintenance.
4. **Establish Proactive Security Budgeting:** Reclassify security spending as an essential operational cost ("spend now, save later") rather than discretionary spending, acknowledging that the cost of remediation post-breach far exceeds prevention costs.
## Implementation Guidance
### For Small Organizations
- **Prioritize Employee Education:** Since small businesses are often "low-hanging fruit," dedicate a significant portion of the limited budget to recurring, high-quality security awareness training focused on phishing and physical security.
- **Adopt Secure Cloud Solutions Wisely:** If moving to the cloud, ensure the chosen provider meets strong security standards, as SMEs are statistically more likely to suffer severe financial consequences from a successful breach.
- **Focus on Hardening Endpoints:** Since extensive consulting might be unaffordable, utilize built-in security features on operating systems and mandate strong endpoint protection as a primary defense layer.
### For Medium Organizations
- **Formalize Risk Assessment Projects:** Utilize budget increases to commission an external risk assessment to guide targeted security investments rather than broad purchasing.
- **Develop Role-Based Access Policies:** Implement formal Role-Based Access Control (RBAC) structures to enforce the principle of least privilege across departments.
- **Invest in Monitoring Tools:** Begin deploying basic Security Information and Event Management (SIEM) or centralized logging tools to track access to sensitive data.
### For Large Enterprises
- **Integrate Security into Procurement:** Mandate that all new software and services (including open-source implementations) undergo a security review by dedicated security personnel before deployment.
- **Establish Formal Governance:** Ensure the security policy review process is institutionalized, requiring mandatory annual updates that specifically address changes in cloud adoption, remote work, and mobile device management (MDM).
- **Implement Technical Control Diversity:** Beyond software, invest in layered heterogeneous security solutions (hardware, software, services) to ensure no single failure point compromises the entire environment.
## Configuration Examples
*Specific configurations were not detailed in the source material. General guidance is to enforce **strong password policies** (minimum 12 characters, complexity requirements) and configure **automatic software patching** upon update release.*
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Practices align strongly with the **Identify** (Risk Assessment) and **Protect** (Training, Access Control) functions.
- **CIS Critical Security Controls (CSC):** Directly supports controls related to **Inventory and Control of Software/Hardware Assets** and **Secure Configuration of Enterprise Assets and Software**.
## Common Pitfalls to Avoid
- **Panic Buying:** Purchasing expensive security tools haphazardly without a formal risk assessment defining the actual needs.
- **Assuming Cloud Providers Handle Everything:** Relaxing internal controls because data is stored off-premises; internal configuration and access management remain critical.
- **Stale Policies:** Maintaining security policies that do not account for current infrastructure realities (e.g., mobile work, cloud services).
- **Centralizing Over-Control:** Allowing a single individual, even the CIO, to be the sole gatekeeper for all security access decisions.
## Resources
- **Risk Assessment Methodologies:** Utilize frameworks provided by NIST SP 800-30 when conducting formal risk evaluations.
- **Open Source Clarity:** Consult vendor/community documentation specific to the chosen open-source platform to establish robust internal patching and maintenance protocols.