Come budget time, being the security manager for a financial services company is a great thing. Like any security manager, I have to prepare materials to justify spending company money. But in the financial services sector, upper management tends to be well aware that we have a lot to lose if we’re breached, and customers and auditors continually scrutinize our security practices. Since losing a major deal or failing an audit because of inadequate security is not an option, winning approval for reasonable budget requests is not as arduous as it can be in other industries.
At issue: It’s budget time, and as usual, our manager has a long wish list.
Action plan: Be ready to describe current problems and the risks of not addressing them properly.
In the past I have received funding for a security engineer who is primarily focused on product security. His duties include identifying and mitigating security vulnerabilities and bugs, driving the implementation of security-related features and functionality, and addressing the security posture of internal tools. In addition, last year we were able to purchase a very expensive source-code analysis tool to aid him in his tasks. This year, he has asked for additional third-party application penetration testing tools and services, which I’m happy to accommodate.
A weakness in our security efforts — one we share with most organizations — is in the area of IT or corporate security. It has improved, now that most of our corporate applications are cloud-based or software as a service (SaaS), which means our corporate network is not populated with a lot of business-critical servers. But that doesn’t mean we can disregard basic security hygiene such as patch compliance, endpoint security, network segmentation and secure configuration management. Like many other organizations, we give our users administrative access to their PCs. We try to protect the PCs by using group policies, but users still install third-party programs. That means that besides keeping up with operating system patches and baseline configuration, we also have to stay on top of third-party application patches. And with more than 80 SaaS applications in use, vendor management and application configuration are critical. All of this is why, during this budget round, I will ask for a dedicated IT security specialist to focus on corporate security.
I also want to hire someone to handle audit and compliance requirements, which continue to grow. We already meet the requirements for SSAE 16 and PCI, and we manage third-party assessments and penetration testing and conduct internal audits. We are now considering meeting HIPAA compliance so that we can sign agreements related to the protection of certain healthcare information that customers may store within our application. All of the audits and assessments have to be followed up with remediation. And so I want a security and compliance analyst. The things I’ve described probably can’t keep one person fully occupied (audits are typically seasonal), but I figure the new hire could also help analyze and crunch data and serve as another eye monitoring security events, besides shouldering other miscellaneous security-related duties.
Sign up for CIO Asia eNewsletters.