Security budgeting is a layered approach
Security is important, for an organization, and its customers. However, there is often a misconception that security costs are included in the IT budget. Security best practices follow a layered approach, and budgeting is no different. There is no such thing as being 100% secure and mistakes can happen anywhere. Where should you focus your efforts?
Cover the Basics first
Before you look at some of the newest security solutions, it is important to make sure the basics are covered. Here are a few items to consider:
- Review your security policy
- Ensure security patches are up to date, for all hardware/software
- Make sure all of your devices are running AV software and are up to date
- Review your password policy for weak passwords
- Encrypt all portable devices
- Provide security training for end users, and IT staff
- Regularly review your Firewall/IDS rules
- Follow best practices for remote access/VPN solutions
- A monitoring/logging solution should be in place
Budget Considerations
Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses. If you do not have the in-house expertise available, you may need to rely on outside assistance. Some items to consider:
- Formalized development of security policies and procedures
- Security monitoring or outsourced assistance
- Vulnerability and penetration testing
- Third party inspection
- Multifactor Authentication
- Mobile Device Security/Management
- Internet controls/restrictions
- Secure Large File transfer methods
- NAC
- Wireless security
- Data Loss Prevention
- Incident response/tracking
- Backups/DR/Business Continuity
Studies have shown that a good overall security posture will reduce the overall cost of a security breach.
