Evolving Threats and Budgeting

Where did I put that crystal ball? It occurs to me that in the information security business, managers have a tough task when it comes to budgeting. Many organizations plan and establish their budgets 9-12 months in advance.

This means way back in January, February and March of 2007 many enterprises were making detailed budgeting plans for money to be spent in 2008.

This gives organizations much needed visibility into how much money they plan to spend in each area and some real specifics on how the money will be spent. All good stuff when you’re trying to manage finances and run a corporation.

In many parts of the modern IT infrastructure, this kind of planning works well and makes sense. Hardware ages and needs to be replaced.

Buying new servers, additional storage, new network equipment, even cooling and power are all fairly predictable, particularly in well established organizations.

But the challenge is quite different when it comes to budgeting for information security products. The reason for this is the evolving threat.

We in the data security world are facing a constantly evolving threat on a global scale, an arms race if you will, where organizations need to be nimble and react quickly to new attacks vectors on increasingly short notice.

The threat in February of 2007 was different then it is today in June 2008. It will be different yet again in January 2009.

The fact is, planning to spend on protection technologies more then a year in advance is hard and often requires reshuffling and reallocation of budget dollars to go where the money (and defense) is needed the most.

Over the last year or so we have seen dramatic shifts in the evolution of the threat to the sensitive data that many organizations store.

We’ve gone from protecting our network perimeter with firewalls and IDS devices, to the realization that web applications leave gaping holes in the firewall….which led to a quick reallocation of budget dollars to spend on web application scanning tools, code scanning tools, and web application firewalls.

Most folks were only getting started planning for and purchasing these technologies when another shift occurred. We started to acknowledge that the data that hackers want to steal mostly lives in a database.

Now organizations that had planned to plug sometimes small sometimes large holes in web applications with various technologies have shifted their focus to the databases for the first time.

It’s fairly common today to talk to database administrators that have never scanned their databases for vulnerabilities, never applied a patch, and never enabled auditing on a production system. It’s astonishing to think about it.

Databases house the “Gold” in today’s corporations and governments. Banks don’t have cash in the vault, it’s in a database. The IRS doesn’t keep your tax return dollars under a mattress some where, it’s in a database.

Companies don’t keep paper files about their customers anymore, it’s all in a database. And for many, up to today the threat to those databases was not at the level of many other threats, so little or no attention was paid to those systems.

The big shift has arrived. For many it comes along with regulatory pressure to comply with various industry and government standards, such as PCI-DSS, Sarbanes-Oxley, FISMA, and several others.

These regulations are often vague when it comes to IT assets and how they should be protected, but the bottom line is always the same. It’s data that is regulated, and wherever that data is stored it must be protected.

For others, the concern was less about regulated data and more about pure security. “If I lose my customer data, I lose my business” is the mantra many have adopted. The threat has evolved, attackers are focusing on data stored in databases, and the market is moving aggressively to react.

Let’s go back to where we started. The challenge of budgeting long in advance for purchases of technologies that may not exist yet, or of technologies that may not yet have any relevance to your business, is daunting to those parties involved. Some questions that should be asked are:

  • How do you handle budgeting for IT Security purchases?
  • Do you have a bucket of dollars allocated to emerging threats?
  • Do you regularly revisit your budget decisions to ensure they are still in line with your business needs?
  • Do you skip the details all together, pick a budget and then figure out how to spend it when the time comes?

This is a big challenge for many and a tough problem to overcome. Whatever industry you work in, be sure to at least consider the nature of the evolving threat model as you plan next years security spending.

If you do, when the threat changes and the time to adjust your defenses arrives, you will be very happy not to have to go reallocating, reexamining, or worst case, waiting for next year in order to deal with what the hacker community throws at us.

Application Security, Inc. (www.appsecinc.com) provides database security solutions for the enterprise and was named to Inc. Magazine’s 2007 list of America’s Fastest Growing Private Companies (Inc. 500). Its products proactively secure databases and delivers up-to-date database protection that minimizes risk for companies