This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
How do you think the economic downturn will affect security budgets? It's always been a real chore to justify an information security budget because you can't put a monetary figure on the return on the investment. Information security is there to make sure nothing [bad] happens, so if you're doing your job, nothing [bad] is happening. Given that you're already starting behind the eight ball, the economic upheaval in the banking industry is just going to put more of a burden on security professionals to get more funding. They'll have to learn how to live with less. Take good stock of your resources, the skill sets of your team, your networking infrastructure and see what you can do within the limited budget that you'll be getting.
Can outsourcing help? It's certainly part of the picture. Going from JPMorgan to Republic First Bank-from a very large international corporation that had a large budget for security to a smaller regional bank that doesn't have the [same] resources-gave me good insight on how to manage and do more with less.
What else might help in lean times? There are things you can do with a small team or a small budget. It's going back to basics. One of my main focuses when I come into a security position is to get a really detailed understanding of the flow of confidential and restricted data. You have to know where your data is going and who it's going to; once you know and understand that, you can start targeting areas of risk. You need to have a mature risk assessment process in place so you can prioritize these risk areas. Once you prioritize the risks associated with the various areas, you can start focusing your limited resources-whether it's budget, assets or staffing-on those areas. You probably won't cover every single one, but at least you've hit all the high-risk areas.
This was first published in January 2009