Hark to the good ole’ (worm) days
I miss the days of the massive-impact worm. I miss the rush of keeping on top of what the bad guys were doing as they worked up to the worm. I miss the day the worm hit and being able to watch as other networks flailed to contain outbreaks while our IT teams monitored for single infections (which were always laptops coming in compromised).
The days of the worm were the golden age for Security teams. We could see tangible results of our labor and with the media attention, we were able to justify increased spending, awareness campaigns, etc.
Nowadays we have a completely different situation. Worms aren’t deployed by some snot-nosed, pimple-faced ‘teen seeking attention. They’re used to quietly propagate bots that are used to build massive spam networks or adware support networks. Two years ago these botnets would just have likely been used to DDOS a popular website off the ‘Net but not so much any more. Now their leveraged to make a buck. The bad guys are being driving further underground by a combination of financial gain and increased vigilance from the security community.
Now I don’t see as much of a tangible return on investment for my security solutions. My IPS isn’t lighting up red alerts when a visitor plugs their laptop into our network. My laptop HIPS aren’t straining under the weight of someone else’s rabid network.
So how do I now justify an increase in security spending? I’m stuck in a precarious position because my company is neither publicly-owned nor associated with health-care (HR not-withstanding). That means we’re not bound by many compliance issues that could be used to justify a security budget. Instead, I have only customer non-disclosure agreements and the occasional government contract to use as justification. Another trick I’ve found effective is to emphasize the stability of the networks, which is a direct result of the level of control and visibility we have of the network (another justification for IPS and IDS for you non-believers). But this can only go so far. Pretty soon it all starts to work against me, because eventually someone at the top is going to say ‘We’ve been without incident this long, why increase spending when we are just fine the way we are?’
Ahhhh, I miss Blaster, and SQL Slammer and all their off-spring. They were good for business.
Michael,
Your not alone my friend, I have been fighting for weeks to hire a new team member for our SOC, and although my company is also private, we do have some compliance issues to deal with. I have taken the “you dont want to end up in the news for a breach” approach, but as you have said, this will only last so long, my trip to the CEO’s office will come again soon, and I will be forced to justify increase “insurance” spending as my company likes to call it. I never thought when i entered this field that I would ever be seen as a sleazy insurance salesman, but alas.
By William on 11.09.06 9:01 am
I think for security its ‘three lean years and three fat years.’
I’m probably at my third fat year so next year its back to Ramen noodles and open-source for our security group.
=)
By Michael on 11.09.06 9:16 am