The Economy Affecting Infosec? Survey Says!
Greetings, security people! A while ago I posted a few questions to the SANS/GIAC community asking how the economy was affecting security programs within their organizations. I had a handful of responses, but not too many. Then, thanks to a suggestion from Christophe Veltsos, I created a simple SurveyMonkey survey and got a total of 23 responses. As promised, I am sharing those results with the community, since it’s always nice to know what others are up to. Here goes…
QUESTION #1: What types of policy changes and over-arching security philosophy/mindset/risk tolerance changes are occurring as a result of fewer staff? For example, are you “locking down” Internet access more than usual since you have less time and staff to interpret user requests? (19/23 answered this question)
- No impact so far — I am in healthcare and we are moving to an electronic health record so more than less emphasis on policy.
- No, the people who remain have more work to do, so security is suffering as a result. It is seen as less of a priority than “giving the user what they want.” Daily, I see dozens of machines with no critical updates applied and systems with blank passwords. Security doesn’t exist here.
- Unfortunately nothing different is happening and that’s (IMHO) the problem. Fewer IT Security staff means less hands to protect the enterprise, and less prevention / detection / response.
- [M]ostly we just do not have the time and resources to properly handle threats. Because we are a university this means they are b[e]ing left unmanaged.
- More dependence on policy compliance
- Actually, the unfortunate result of having less IT/IS staff is that we are seeing a tendancy to have what are deemed business critical applications put into production, w/o the thorough review like we had done before – which in my opinion is opening the door to bigger problems that may never be analyzed, unless a breach takes place. The time, money and resources we used to have are now no longer a commodity, and proper risk analysis procedures are not critical like they used to be.
- We have less time to analyze security problems, so tolerance of user mischief is far lower. We don’t have time to listen to mitigating factors and hold peoples’ hands.
- Finally fear has occurred and now mgmt wants postings and awareness to the end users for their home systems. Internally, I still am not allowed to impact the users by trying to do any of the workarounds to the recent issues on Excel zero day, Adobe etc
- we have not lost any staff. We only have one analyst (me).
No workload is the same, there is no funding available. We still have to investigate ways to secure and meet policy, but there is no funding for anything. Waste of time.
- We are extending replacement cycles which is having the impact of potentially losing support on hardware/software and may necessitate unplanned and unfunded purchases.
- Insider threats from people being laid off
- No strategic shifts in policy being contemplated
- No changes, just longer hours. Any new automation of processes that requires new hardware or non-open source software is just not happening.
- As the business shrinks, the security investment increases. IT and audit staff levels are staying level as supported staff decrease. There is so much legal and client pressure to improve information security that we see this as a necessary investment. We are investing in improving technology, education and procedures.
QUESTION #2: What types of security operations are taking a hit? Reviewing logs or IDS info less often? Resolving change/exception tickets more slowly for firewall and other access? (18/23 answered this question)
- Everything is falling by the wayside. Security doesn’t matter until there is a breach. Then it is CYA time for a while, then back to business.
- Even with a SIEM consolidating IDS, Firewall, Remote Access, VPN, Antivirus, and Active Directory (authentication) log sources we still are falling short to monitor them proactively. Response on tickets to our group has gone from measure in days to measured in weeks or even months.
- Ids is unreviewed. VPN is not being appropriately managed. Firewall rules are not getting attention. Log review happens only during investigation.
- [A]pplication firewall setup (web service filters, for example); service creation
- Speaking only for my team: 1. Log analysis 2. Risk Analysis 3 Lack of vendor support for products – no money to renew. 4. Daily operations tasks, like level 3 tickets take much longer to resolve
- Logs are getting less looks. Keeping up with the event console is about all we can handle right now.
- None, they are looking to purchase Core Impact to compliment our Nessus and IBM ISS IDS tools and improve reporting. My group recently changed from Checkpoint to Cisco firewalls and will move the FW admin to the network team to improve the process. They are looking to hire me a Sr level cyber analyst so we are looking to improve, more people, more products
- [W]e will not implement new projects, such as IDS/IPS due to hiring freeze.
- Anything that costs money.
- No hit yet, but unlikely to replace people if they leave.
- None, actually still growing. Adding positions to address gaps.
- Things happen more slowly of course, with fewer to do the work.
- None. Rather, we are investing in more efficient security configurations and oversight. HIDS as part of a desktop security suite, rather than complex NIDS/IPS. Improved SEIM to make incident handling and response less demanding on staff, etc.
- Lost a staff member who handled database ID provisioning, DB auditing, etc. Having to figure out how to split those duties across other folks.
- Everything is just getting a budget contraction.
QUESTION #3: What items are getting cut out of the budget? (21/23 answered this question)
Additional answers (the “things I missed” category):
- travel and training reduced
- 2 factor authentication. For the first time ever they’re cutting our budget for RSA SecureID tokens, forcing us back to single factor certificate based auth for remote access. OUCH!!! Talk about one step forward and 5 steps back.
- Everything harder to justify and subject to cuts. We’re even getting challenged on anti-virus software license renewals.
- I am sure some items were missed, but in these dire circumstances, when people leave, the contract position is left empty, and cash is king – because nothing seems to be measured in terms of quality any longer, but more along the lines of cost!
- security training and conferences
- User information security awareness activities severely curtailed at my organization. The users in this case are the bank’s financial officers and their administrative staff. – Staff training – Slowing down of closing open audit items, including ‘High”
- Training/travel budget
- We are relying heavily on open-source right now.
- External training non-existent – not even to pay for attending a SANS training course on a work study basis
- subscriptions to organizations and training.
- Available capex and opex funding is lower than normal, which means the budget is just being allocated to few projects. Otherwise, work is progressing for higher priorities.
- Directly cutting personnel including the people doing the security checks
QUESTION #4: What tasks are you focusing on for automation? Has this changed due to the budget? (17/23 answered this question)
- [I]dentity manag[e]ment and no
- No changes Computerized provider order entry
- Not much.
- Pushing more value from our SIEM and IDS to automate manual things, that and finding other overlaps in technologies, turning on features we never used before, just basic optimization of what we’ve got, vs buying more point solutions ($$).
- No automation tasks right now
- log review, authorization controls; doing less because of staffing shortages
- The same things that were automated before are being automated now…no big changes, although there is a need to look into other methods to automate tasks, in order that with less people, we can be more efficient.
- Some of us are learning python to script the log review/reporting and implementing OSSEC
- Money seems to be coming out of nowhere to improve security by agreeing to purchase more products
- Our security program is in it’s infancy, and as such, we are just now developing a scanning program.
- As we will not gain any staff we are automating as much as we can.
- No. Log reporting
- Improving end user processes as this will have greater impact on organizational productivity than focusing upon IT alone.
- High-volume highly manual tasks such as access provisioning.
- Automating data-gathering for KPIs associated with IT security, Log analysis, Information Risk Awareness (improvements to an internally developed risk management process)
- Incident detection (via extrusion monitoring). Nope.
- [A]utomating everything possible. No changes.
QUESTION #5: For those tasks you are trying to automate, how are you prioritizing? (18/23 answered thia question)
Pretty interesting results, I’d say. Most of you are feeling *some* pinch from the economy, whether it’s in paring back people, technology, or training. A handful of you are not feeling much, if any, effect. Thanks to all who participated, I hope this is useful!