Jason Stitt - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can security pros cope with a limited information security budget?

Many security professionals have to operate within a small information security budget. Expert Mike O. Villegas reviews some tips to maximizing the budget and persuading management to increase it.

A recent security survey indicated that organizations are adding to their security budgets to include additional security measures such as monitoring internal network activity. I would like my organization to do the same, but we don't have extra room in the budget. What are some cost-effective ways to increase my information security budget and improve local network monitoring, either with free tools or perhaps re-allocating existing resources?

There are three approaches to working through the challenges of a limited information security budget. The use of one or all three can provide some relief while dealing with security demands.

  • Compliance demands: Historically, information security is considered a necessary evil with a budget just high enough to maintain the minimum level of protection and compliance. It wasn't until Enron resulted in Sarbanes-Oxley and other compliance standards like HIPAA, PCI DSS emerged that enterprises were forced to finance additional controls. Compliance is a driver for additional resources and tools but this proves to be insufficient. Being compliant does not mean your company is secure. It means it is compliant. However, since companies need to be compliant regardless, use this as leverage to augment the security budget.
  • Open source tools: Open source security is an obvious option and can provide some excellent tools. For example there is OSSEC, a file integrity manager and host intrusion detection system that has been widely accepted as a reliable tool and can satisfy PCI DSS 12.10.5, which states, "Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems." Open source has been criticized as a reliable option for securing environments, but the issue is not open source tools themselves. Instead, the issue is how open source is deployed by security architects. They need to vet open source implementations, implement strong change control procedures and use it to build a case for other software purchases by showing their value to management.
  • Re-architect: Mitigate risks by segmenting critical systems. A flat network is heavily reliant on ACL controls, but lacks sufficient granularity such so it is still hackable by unauthorized internal users or outside hackers. Re-architect an internal network by segmenting production environments, development, internal corporate servers, legacy back-office systems and Web infrastructures. Use a combination of separate domains, subnets, VLANs, proxies, HIDS/HIPS and internal firewalls. Use hardened baselines to strengthen the internal infrastructure devices and servers. Use open source tools to monitor and secure these environments.

Despite how dismal or helpless you might feel about your company's insufficient tools for monitoring and protection, don't give up. Demonstrate to management that every effort is made to protect the environment by using these three approaches. Clearly explain security risks of any remaining limitations to management; do not characterize security as being in a state of tenterhooks and instead demonstrate you are resolved and creative enough to get the job done. A reasonable executive management team will see the effort and provide additional financial support to the security budget.

Ask the Expert:
Have questions about enterprise security? 
Send them via email today. (All questions are anonymous.)

Next Steps

Check out how to realign a security budget with the actuals risks to enterprises.

This was last published in May 2015

Dig Deeper on Information security program management