The information security budget has been spared drastic cuts in this economic recession, even as predictions for total IT spending in 2009 continue to spiral down (see box). Yet information security managers should continue to look for ways to maintain the same level of security for less money until the economy improves. Here are three pieces of advice.
Postpone projects where payback is long, security benefits dubious. Any large security investment that does not have a payback within 18 months should be cut or put on hold until budgets improve, said John Pescatore, a distinguished analyst at Garter Inc. Payback in security tends to be measured in terms of labor saved by automating a once-manual process and the more nebulous calculation of cost-avoidance by preventing a security breach.
Other projects that should be cut or held? Those in which the service costs are greater than 50% of product costs. Or those that assuage user complaints more than enhance security, like single sign on. Or nice-to-haves, such as a better antispam defense.
Forrester Research Inc. analyst Jonathan Penn said companies are postponing big projects involving a lot of consulting services. An example is identity and access management (IAM), where both the product and labor involved are expensive. But IAM is an important protection in an economy where layoffs are common; being able to de-provision laid-off employees quickly is important.
So are security information and event management (SIEM) tools that can track the actions of laid-off employees in the weeks before termination, Penn said.
According to Pescatore, security teams should also root out from their budgets the nice-to-have gadgets, such as security/risk dashboards, in favor of investments that protect the data. Manual ways of creating ad hoc reports will do the job for pinched times.
"Starve the reporting chain and feed the security protection and process side," he said. "Many existing products, like SIEM and even plain old spreadsheets, may work just fine as a dashboard in tough times."
Transfer security spending into other people's budgets. Shunt security projects to other areas in IT or the business. "If we can force application development, or business apps or business modeling, where the big chunks of the IT budget is being spent, to eliminate vulnerabilities or eliminate dangerous processes, that is on their budget, not your budget," Pescatore said.
The Payment Card Industry Data Security Standard (PCI DSS), for example, requires organizations that process credit card payments to put their Web-facing processing software behind a Web application firewall or have the software application-security tested. Security can run out and buy a point product that provides the highest level of security and the most control, Pescatore said. Or, it can suggest that the network folks leverage the firewall capability baked into the network or invest in the necessary technology.
Another example is application vulnerability testing. Security should be asking why the folks who are writing the Web software aren't doing the Web application vulnerability testing before the software can get through final quality assurance.
"The QA and the audit guys can often be your best friends … forcing that spending to go up through the app development chain," Pescatore said. This strategy may sound far-fetched, he said. But his experience in recent years is that developers whose codes are getting rejected in the final QA stages quickly develop a strong interest in security tools.
A variation on the theme, from Penn, is to focus on projects that have multiple stakeholders, so security is not fighting the budget battle alone. For many companies in a down economy, the priority is protecting the brand and retaining customers. Data security is paramount. Security investments that will help stave off lawsuits and fines, or meet regulatory obligations required by important business partners, such as PCI DSS, will be more likely to garner widespread support, Penn said.
Learn how to rob Peter to pay Paul, and other CISO tricks. Larry Whiteside Jr., chief information security officer at the Visiting Nurse Service of New York (VNSNY), has developed a strategy for protecting his budget. "I ask for the world," he said, and goes from there.
VNSNY information technology budgets are project-based, which makes for easy accounting at the end of the year but doesn't give Whiteside a pot of money to dole out as he sees fit. But for 2009, when he asked for 15 projects and got funding for three, he managed to get six done.
Whiteside doesn't apologize for knowing how "to pad" a project budget request in order to fund other projects. His budget is a lean 5% of the total IT budget of about $6 million. Whiteside also bullies vendors on price and cheerfully offers himself up as a customer witness in order to get the price he needs.
Data protection is a priority, indeed the impetus for his two major projects: a VPN for vendors who provide external support to the systems, and a network access protection Dynamic Host Configuration Protocol-based solution from Symantec Corp. for outside guests who need to access the 80-plus remote offices in the VNSNY system. With "leftover" funds, he has deployed a vulnerability assessment tool.
His ace in the hole? Chargebacks to the business units most affected by security lapses due to data leaks, unencrypted email and so on. "They have been willing to pay their share," he said.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.
This was first published in July 2009