The average security budget among large companies is $3.35 million (£2.13 million), according to figures released by Kaspersky Lab, who asked 1,300 IT pros about IT risks and security spending.
To Michael Dent, CISO of Fairfax County Government in Virginia, this sounds like an incredibly huge amount of money. After all, he wanted to start his security programme with just over $1 million (£635,000). What he got was about one-quarter of that request.
Dent took on his current role as CISO with Fairfax County in 2002 after creating and managing the security programme for the Virginia Department of Corrections information technology department. His goal was to establish an enterprise IT security programme, something that was lacking before he came on board. He recently spoke about how he managed to get a programme off the ground with a very small level of funding, and how he turned his efforts into a chance to earn management's respect - and more financial support for security in the future.
When you started with Fairfax County in 2002, what was your initial security budget proposal?
Michael Dent: I worked closely with my engineering team to create a presentation that articulated my vision and our initial pitch was for $1.3 million (£825,000). They gave me $250,000 (£160,000) to start. But I could see senior management saw the future, the vision and thus invested in that vision to get Fairfax County to where it is today. That was their initial investment; really what we could get funding to jumpstart our project. But I had the confidence in both my engineering and security staff and started on this journey.
First, I was able to break down fundamentally what we were pitching and looked at the most critical areas where we had most of our issues and concerns. The majority of those issues were identified on the perimeter of the Fairfax County Government Network. Our perimeter was very weak. We didn't have internet filtering; our firewall rule set was unmanageable causing the firewall CPU to spike to nearly 100% during the business day. We conducted a thorough analysis of the firewall rule set and honed it down to where we had more of a manageable firewall rule set.
We implemented internet filtering, which reduced our bandwidth dramatically. The bandwidth was increasing at an astronomical rate due to the fact that the internal users were not being filtered or limited to specific websites on the Internet. The network team continued to request more bandwidth each year as this was effecting the ability for Fairfax to serve our constituents on the internet and with our successful web filtering implementation, bandwidth began to stabilise.
Now that the network bandwidth was stable we focused our attention on segmenting the perimeter of our network based on business units. This became a very streamlined approach where we now began to develop rules, policies, processes and procedures to further segment our network perimeter. Given that the majority of our existing rules stemmed from an antiquated security mainframe centric policy we had to carefully design the network for the future multi-tier network architecture to accommodate the web, application, database tiers. Furthermore, we had to create a new policy that fit with what our architecture was becoming.
This naturally led to the design and segmentation of our network perimeter by implementing modules or DMZs based on our business needs and requirements. We constructed the internet access module, our e-commerce module and finally our partner's module. We developed these modules and/or DMZs which now allowed us to route outbound internet traffic through the internet module so it could be closely watched, filtered and sanitised for any vulnerabilities. The e-commerce module was constructed to allow the county to segment our public facing web site from the rest of the network. Given this was our main external touch point to our constituents and/or public community we wanted to ensure the security of this environment and its interactions with the public. Finally, our partner's module was developed to allow communications with our trusted partners either through VPNs or direct point-to-point connections.
What kind of budget increase or adjustments have you been given?
After the first year, when it was evident that we had success with the defence-in-depth approach using the SAFE blueprint as a model we were able to request more funding through our IT project budget process. That process, and approval for ongoing projects, allocated twice the original amount. This of course gave us an architecture that is still in use today. We have improved on the original defence-in-depth architecture is several ways and we have been given funding for general maintenance and refresh of the security components. Currently, our overall security budget hasn't taken a decrease. but has not has not had an increase in the last several years. We've basically maintained what we have put in production with a budget that was built in after those projects were granted.
With the various projects we are currently managing within the national capital region, some of the different localities have been given some federal funding assistance with building up their network infrastructure to a point where we now have what we call our National Capital Region Network. This network is where we have built an interconnected fiber network among all 11 Northern Virginia localities, DC and Maryland. We've interconnected the local county or municipality fibre networks and are bringing applications in that are centered more on public safety. We've dedicated that network for public safety application use.
I believe now the local county governments are now realising there is probably more use from a business standpoint to utilise that network. Part of that is the reason why I've put in funding requests for federal grants, which we've been awarded.
As we speak we are implementing MPLS (Multiprotocol Label Switching) over that network, which is going to really go a long way in allowing the region to securely segment and prioritise our network traffic when it comes to public safety verses business related traffic. Within those public safety arenas - Fire, Police, EMS - we can separate that out because we do have HIPAA and/or PCI concerns.
We are also in the process of trying to implement a federated ID management project and we have done some requirements gathering on that but are still in the process of development.
All of this has been made possible with federal grants. It helps to have the federal government offer some of the funding and we know a lot of that funding came to us because of what happened on September 11, 2001. That funding has come to help implement these solutions for the safety of the general public and continues to remain critical for future enhancements of the network security environment.
But many organisations won't qualify for federal grants for assistance. So what other advice can you give about operating a security programme with budget constraints?
You have to understand and know the business landscape you've been given to protect. That will give you basis for what you will request funding for and how you are going to build out a network security architecture to secure that business landscape. I recommend all of us - the CISOs, the CTOs, the CIOs, and the network managers - collaborate on our various projects, because there is a lot we can offer each other.
As an example, here in Fairfax County, we deal with the federal government and have a lot of federal agencies within our county that have requirements to get them the connectivity they need to get to their networks safely and securely. There always seems to be a political battle to fight; What's classified? What's not classified? How many users are you going to have? What is your network capable of handling? How well can you protect the data? How can you guarantee my data is separate?
I think as CISOs, CTO, and CIOs, if we can sit down together, we'll come to an understanding that we are basically trying to get to the same end goal.
What have you NOT been able to do yet because of budget restrictions?
One project I have been concerned about is the social media aspect. I know social media is a great tool that is starting to help business more and more. I think allowing your employees to use those tools for business purposes is a good thing and should be done. But I also think we have a responsibility to the citizens of this county that before we are going to embrace that, we have to look at the business risks associated with that.
I did submit a project that was quite substantial in funding; however this would allow the county to allow social media access in a controlled way to the very large user population within Fairfax County Government. I would have to set up an architecture that would not only protect employees but also the data that employees would have access to when it comes to social media access.