Could the sequester make us smarter about security?
- By Jody Brazil
- May 30, 2013
We are nearly three months into sequestration, and the world -- or even the U.S. government -- has not ground to a screeching halt. By the same token, all the talk about the cuts shocking elected leaders to their senses and prompting an agreement to negate them seems to have died down as well.
That doesn’t mean the cuts have not been deep, though. It doesn’t mean that many employees -- both government workers and contractors -- will not lose their jobs or that new programs and initiatives are not being canceled or delayed. But nor does it mean IT leaders are relieved of the responsibility of securing our IT assets and managing our risk at acceptable levels.
This era of sequestration means we must work smarter with the assets we have now. The precious few dollars we have should be used to capitalize on what is already in place rather than ripping out and starting over. It is an opportunity to better manage current assets for greater operating efficiency.
According to some government officials, for the most part, critical infrastructure security has not been drastically cut. What is already in place will generally remain in place, at least for now. New projects could be scaled back, but even then, massive cuts seem unlikely.
The most difficult task might well be how to make do with fewer employees. Although new technology purchases for cybersecurity might still be possible, the staff to implement and maintain that technology is not nearly so protected. That means IT executives must use technology to manage assets effectively. Automation and visibility can help you manage with fewer people, and when looking at new technology, better management of existing infrastructure should be a prime consideration.
Another area that could be subject to sequestration-related cuts is the move to next-generation firewalls and other security appliances. However, that does not mean you cannot improve your security posture with the network security gear you have right now. For instance, there is probably no shortage of firewalls in your network today, but understanding what rules are in place and why is another matter. Learning to make do with what you have is the key to successfully navigating the sequester.
Another strategy is to understand what the true risks are so that you don’t spend money you do not have on things that are not a real concern. It is natural to worry about assets that are vulnerable, but very few of us investigate whether those vulnerabilities are exploitable. Fewer still take the next step and ascertain whether those exploitable vulnerabilities are reachable. If they are not, why waste precious resources on them?
And if they are reachable and exploitable, what is the most efficient way to manage that risk? It might not necessarily mean spending more money. Instead, it could be as simple as a network configuration setting. A more enlightened approach to risk management that helps you identify the risks in a network and how best to manage them could wind up saving big money.
Tools and tactics that allow agencies to capitalize on existing assets are the best ways to squeeze the most out of shrinking budgets. There will be a time soon when we can think about upgrading our network security appliances and infrastructure. But that doesn’t mean we can’t be more secure and manage risk better today. Invest in what you already have in place. Manage better, work smarter, and don’t use the sequestration as an excuse to let down your guard about information security.
Jody Brazil is founder and CTO of FireMon and former CTO of FishNet Security.