Everyone's looking for a handout these days and IT security pros are no exception.
A panel of IT experts, including those from Bose, Brown University and Genzyme, shared tips about “cheap but good” IT security solutions at Wednesday's SecureWorld Boston event (more from the event here).
David Sherry, CISO for Brown, noted that his team exploits free Web 2.0 tools and open source software to support its efforts. Among other things, the IT team issues alerts via Twitter to call attention to virus threats and has used a blogging program to test out a plan for keeping in touch during a storm or disaster that might keep workers from getting into the office.
Sherry, who came to Brown about eight months ago from the financial industry, said the change from the very locked-down nature of the financial industry to the Wild West university setting came as “a real slap upside the head.” One difference has been the school's willingness to employ open source software tools, and he encouraged those even in more buttoned-down organizations to give them a whirl. “You will not find 'cheap but perfect' when using open source,” but you might find good enough tools that can save you tens of thousands of dollars vs. commercial offerings, he said. “Tools are getting better and upgrades are coming faster in part because more people are using them and giving more feedback.” Sherry noted that Brown runs risk assessments on open source tools just like it would on any other tools.
Being at a university, Sherry said it is only natural to look to students for inexpensive or even free labor, such as during the summer to do penetration testing. He recommends non-university organizations should call around to local schools to see if students are available for internships they might do for free or a nominal stipend.
Sherry said there's also something to be said for centralization, which can cut down on costs of various departments having their own security administrators.
In the spirit of cost cutting, Brown has also examined all of its IT contracts and gone back to vendors to ask for price breaks, whether it's straight discounts or extending contracts for lower rates. “It will not shock your vendors if you ask them,” Sherry said. Brown has also done away with maintenance contracts for some products.
Another tip: come up with offsite storage exchange programs with other organizations. He acknowledges that there is a higher degree of collaboration in the educational field than the finance industry for this sort of thing.
Also offering advice was panelist Terri Curran, director of information security at consumer electronics maker Bose. She said: “Look outside your country but look inside your company.”
What she meant by “look outside your country” is that there are plenty of free resources about security awareness, identity theft and the like available on government Web sites around the world (she specifically mentioned the Netherlands as having good videos and slide decks on antivirus and other topics). While all such documents won't directly apply across countries, she’s found that you can pick and choose, and that it beats starting from scratch. She also mentioned Interpol as a good source of such documents.
What Curran meant by “look inside your company” is that you might find employees who are eager to help spread the gospel of IT security. Bose used to hire actors and script writers to put together security awareness videos, but now instead runs contests in which employees take on those roles. She says the videos are actually better, not to mention less expensive.
With the economy tight, squishy balls and other tchotchkes have been axed from budgets. But Curran said it's important to “touch” employees, including remote ones, with security awareness information. Among other things, Bose uses online presentation software from Brainshark to make security awareness information available to employees anywhere (she noted that she did not intend her remarks to be construed as an endorsement for Brainshark, nor is the product free, but was just citing it as an example). Others chimed in that those who already own PowerPoint can extend the Microsoft software through a narration feature to accomplish some of this same sort of communication.
Anne Oribello, a security expert at Genzyme, said freebies are also available in the area of IT security policies. She cited the SANS Security Policy Project and NIST as sources. While these policies might not work for you untouched, they give you a good place to start.
She also advised looking to available standards, such as the Health Insurance Portability and Accountability Act, even if you don't happen to be in the healthcare industry. She said a lot of thought has been put into detailing security requirements, and that these are the sorts of things any organization could benefit from considering.
One last bit of savings advice from Oribello – well, something that can save you from trouble anyway. She recommends that any security policy include forms for making requests for policy exemptions. By doing this, an organization can address things it didn't think of when originally putting its security policy in place, plus puts a system in place to monitor the exceptions.
