I recently had a conversation with a friend who is now in charge of cybersecurity for a large company (100+ virtual and physical servers). He was prepared for the age-old cybersecurity problem of justifying a security budget from company leadership. All of us who work in the industry know the chicken and egg problem that has plagued security for years:
You: Boss, we need to spend $100,000 on security tools.
Boss: Why? What happened? Did we get hacked?!? Did we lose data?!?!!!
You: No, no, this is preventative and proactive so that we do not get hacked.
Boss: Have we ever been hacked? Why should we buy a tool if we’ve never been hacked?
You: We have no knowledge of ever being hacked, but we cannot tell if we are being hacked because we do not have these tools.
Boss: If we get hacked, are being hacked, or there’s a threat of being hacked, then we can buy the tools.
You: But... uh... if we do not have the tools, then we won’t know if we are hacked.
(Pre-2003) Boss: Not my problem.
(Post-2003) Boss: Okay, you can have $50,000.
After 2003, cybersecurity leaders found it easier to get that first set of annual funding for tools and resources to run their organization. My friend found this to be true as he went through his first fiscal budget process. However, he quickly ran into the newest problem for cyber security leaders. No longer is it good enough to simply get your budget and be content. Tools breed tools; resources breed resources.
He purchased his network security monitoring tool and found things on his network that require special attention. In other words, his investment was paying off, but, at what he would find, an expensive cost. The issues he found on the network required his staff to 1) figure out what was going on, 2) log the situations, 3) respond to the situations if nefarious activities were occurring and 4) prevent the situations from occurring in the future. He found that he needed more tools for steps 1, 3, and 4. His staff includes all cybersecurity people and they know how to work with very tight budgets. In the first step, when figuring out what was going on (i.e. what type of communication is occurring, from what applications, what are the sources and destinations, etc.), his team used open-source tools. Open-source is an indispensable avenue that remains a major part of any security team’s toolbox. However, he is anxious because he knows that as the organization grows, open-source may not remain a viable solution for monitoring his network.
Luckily, the tools that he purchased to perform monitoring also provide logging. So, his team has to keep a set of Word documents for each situation. He uses a unique numbering scheme to keep track of the situations for posterity. Each situation is stored in a Word document. More elegant systems (think helpdesk tickets) could be used, but that’s a software solution that costs more money. He thought about pushing for this but said, “I need more important software than a ticketing system.” He is right.
Then he came to the part in the incident response process of responding to a situation. His staff had nothing but open-source tools and they were not adequate to provide sufficient triage and information-gathering to respond appropriately. Therefore, he needed some type of forensic software. He has no idea how he’s going to ask for more money when it was such a hassle to get 50% of what he asked for last year.
And then there is the last part dealing with the prevention of the situation from occurring in the future, which is somewhat contingent on getting verification on the bad activity happening. He already requests his normal edge protection and internal data-layer protection, but specialty appliances? What a vexing situation.
So, the last time I talked to him he was faced with a quandary where he asked for a budget. Actually, he asked for double what he needed and received half. He bought his special monitoring software and found suspicious happenings on the network. Now, because he asked for the money and installed the software, he is forced to ask for more money to respond appropriately to the suspicious findings. He said, “If I had not asked for this in the beginning, then I wouldn’t have this problem. I wonder if they don’t want to know if bad things are happening.”
I think this problem is typical of how businesses operate in general, but applying so specifically to cybersecurity, it will plague leaders for years to come. For those up-and-coming professionals in leadership roles, you should be aware that once you get security tools, you’ll need more because tools breed tools. In my experience, the only organizations that have been given blank checks for cybersecurity are those who have been breached. Believe me; you don’t want that kind of blank check.
-Ryan Vela
