Low Budget for Information Security?…Part 2

In my last blog Part 1, I provided some details of ways to improve Information Security when working with a low budget. One main area of my focus was on ensuring sound security policy and integrating security awareness training into other processes within an organization. There are many other opportunities to integrate information security best practices that increase awareness and build on the information security posture for the organization. Here are a couple more ideas:

  • Find ways to integrate information security risk assessments into already existing processes so as to identify risks at early stages of product or solution development. This can allow the organization to evaluate the best mitigating controls which could be more expensive to add on at deployment.  At the forefront of defining the budget for a new solution or product roll out, the security management, technical and physical controls that are required should be considered ahead of time so that there are no surprises after implementation.
  • Evaluation of the organization’s purchasing process. If technical controls are required in a security policy or risk assessment and purchases are made from the budget of a project, there may be an opportunity for justification of funds for deploying security control at an organizational level. It may be just a checkpoint during the procurement phase to evaluate whether there are several different deployments of similar solutions. If so, there may not be the consistency needed to ensure quality standards are met. Additionally, negotiation with the vendor for licenses or hardware might be more beneficial on a larger scale to save a significant amount of money. One other benefit to discussing security with the purchasing representatives are the relationships that can be developed with the information security group which can help significantly in understanding how the business justification of costs work within the organization.

During the effort to integrate security within other processes, the security staff should know about common misperceptions such as being a “road block” or trying to paint a picture that the “sky is falling”. A positive attitude can help with encouragement of open discussion on risk and acknowledgement of good catches made. I’m sure there are other ideas for improving the security posture of an organization on a tight budget that others may want to share.