Case study: Security on a shoestring budget
Michael Dent, CISO of Fairfax County Government in Virginia, created an enterprise-wide IT security program with a fraction of the budget he wanted
By Joan Goodchild , Senior Editor
October 11, 2011 — CSO —
According to figures released recently by Kaspersky Lab, 1300 IT pros were asked about IT risks and security spending. Among large companies, the average security budget is $3.35 million, according to Kaspersky's data.
To Michael Dent, CISO of Fairfax County Government in Virginia, this sounds like an incredibly huge amount of money. After all, he wanted to start his security program with just over $1 million. What he got was about one-quarter of that request.
Dent took on his current role as CISO with Fairfax County in 2002 after creating and managing the security program for the Virginia Department of Corrections information technology department. His goal was to establish an enterprise IT security program, something that was lacking before he came on board. He recently spoke with CSO about how he managed to get a program off the ground with a very small level of funding, and how he turned his efforts into a chance to earn management's respect—and more financial support for security in the future.
CSO: When you started with Fairfax County in 2002, what was your initial security budget proposal?
Michael Dent: I worked closely with my engineering team to create a presentation that articulated my vision and our initial pitch was for $1.3 million. They gave me $250,000 to start. But I could see senior management saw the future, the vision and thus invested in that vision to get Fairfax County to where it is today. That was their initial investment; really what we could get funding to jumpstart our project. But I had the confidence in both my engineering and security staff and started on this journey.
What was your first step to working within that $250,000 budget?
First, I was able to break down fundamentally what we were pitching and looked at the most critical areas where we had most of our issues and concerns. The majority of those issues were identified on the perimeter of the Fairfax County Government Network. Our perimeter was very weak. We didn't have internet filtering; our firewall rule set was unmanageable causing the firewall CPU to spike to nearly 100 percent during the business day. We conducted a thorough analysis of the firewall rule set and honed it down to where we had more of a manageable firewall rule set.
We implemented internet filtering, which reduced our bandwidth dramatically. The bandwidth was increasing at an astronomical rate due to the fact that the internal users were not being filtered or limited to specific websites on the Internet. The network team continued to request more bandwidth each year as this was effecting the ability for Fairfax to serve our constituents on the Internet and with our successful web filtering implementation, bandwidth began to stabilize.
Now that the network bandwidth was stable we focused our attention on segmenting the perimeter of our network based on business units. This became a very streamlined approach where we now began to develop rules, policies, processes and procedures to further segment our network perimeter. Given that the majority of our existing rules stemmed from an antiquated security mainframe centric policy we had to carefully design the network for the future multi-tier network architecture to accommodate the web, application, database tiers. Furthermore, we had to create a new policy that fit with what our architecture was becoming.