As I wrote about in a previous post, we’re in the era of cutting back – if not completely eliminating – all non-essential expenditures. The thing is what may seem to be non-essential to management may actually be essential to the business. There could just be a disconnect — or communication breakdown — between you, your team, and the managers ultimately making the decisions. Politics and opinions aside, you have to think creatively about how you can make small improvements in Web application security across numerous areas of the business if you’re going to move your Web security program forward.

How can you do this? You need to prove that you’re thoughtful and careful about money and that the decisions you’re making regarding Web security are in the best interests of the business. You can be frugal and show management that you’re willing and able to cut back, deal with what you’ve got and find ways to make things work better that may have been overlooked the past. For example, one thing I see quite often is network administrators and security managers not taking advantage of Web security controls they already have at their disposal, such as:

  • URL sanitizers and input filters built into Web server platform(s)
  • Event logging, monitoring and alerting capabilities built into server operating systems
  • Web application firewall capabilities built into traditional perimeter firewalls
  • Identity and access management controls embedded directly into the Web applications

When it comes to tightening our belts and improving Web security we have to get creative. I’ve learned this in my motorsports hobby. Like so many others believe, my earlier inclination was to spend a ton of money adding more horsepower to my car so I could lower my lap times. I soon learned that spending money on the issue wasn’t the solution.

Instead, I started focusing on what I already had on my car and, most importantly, in my mind. I soon realized that my car wasn’t the problem but rather my lack of hand-foot-eye coordination and the barriers I had in my head of what a car should be capable of doing. By focusing inward, in less than a year I had drastically lowered my lap times to levels equivalent to spending thousands of dollars on more horsepower. It was hard work but I didn’t have to spend a dime in order to get a whole lot better.

Think about all the areas where you can improve Web security in and around your business. From existing technologies to business process tweaks to your people and even your own skillset. There’s likely a lot of room for growth. The great thing is, if you take the initiative and make things happen, you won’t have to ask management for a single dollar.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.

Comments are closed.