Changing information security plans in an economic downturn
I read that the CISO of one major technology company is shifting her organization's 2009 information security priorities away from previously planned projects like server hardening and Web application security in favor of data protection projects and enhanced identity management and access control systems. Amid a troubled economy, do you agree with this strategy, and should most large enterprises follow a similar blueprint?
Without knowing the particular business and its environment, it's impossible to make a good judgment call on the wisdom of this change, but keep in mind that any good executive, CISO or otherwise, will change his or her priorities and programs as the overall business priorities change. Also remember that regardless of the economy, compliance is taking on more importance. If the economy continues to worsen and budgets tighten further, a greater proportion of IT departments' time and money will be dedicated to compliance efforts.
Most notable among the various compliance regulations in which organizations have invested significant time and money as of late have been the PCI DSS, HIPAA and SOX. All three regulations have a heavy focus on data protection and mandate that companies demonstrate a working identity management program, so it's not terribly surprising to hear about changes like the ones you are seeing.
The question is, what should you do? My advice is don't worry about what other companies are doing. Rather, talk with your executives about what their current and planned business priorities are, and alter your organization's security programs accordingly. That may mean working on data protection and IAM, but it could also mean working on Web application security or something completely different -- like security awareness training -- or implementing changes to policy and software development processes.
For more information:
This was first published in January 2009