When you receive this issue of Information Security the country will have chosen a new president who will be coming into office in troubling and difficult times. In fact, the last month of the campaign focused primarily on the economy and what each candidate was going to do to solve both Wall Street and Main Street woes.
The ripple effect of today's economic crisis is sure to hit security professionals. Recent research from TechTarget, the parent company of Information Security, found that 56 percent of the 1,075 IT professionals surveyed said the current economic situation was a significant factor in the reduction of IT budgets (though they are expecting IT budgets to increase by 4.5 percent overall). Furthermore, if the economy doesn't improve in the first half of 2009, more than half expected budget cuts for the second half of the year.
What's more, 52 percent said they would delay non-essential upgrades and another 37 percent said they would cancel or delay non-revenue generating projects.
We know security is a cost center, and traditionally there has been difficulty in articulating ROI on security expenditures. The problem here is security is more important than ever, and a company's information assets are perhaps even more vulnerable.
Consider the scenario of layoffs at your organization. How are you protecting your assets? Do you have the appropriate technology and controls to ensure that a disgruntled employee doesn't walk away with intellectual property? Do you have mechanisms to thwart attacks to the network should an insider or outsider take advantage of your vulnerability? What about on-boarding and off-boarding? Do you have the identity and access management solutions to get employees off of the network immediately?
Let's take the financial services industry, which has been the hardest hit (see "Layoffs, Mergers Put Focus on Data Protection"). Bank of America acquired Merrill Lynch, JP Morgan Chase bought Washington Mutual and Citigroup bought Wachovia. These moves will force huge integrations of information security technology, among others, a merging of policies, procedures and security controls and workforce integration that could tax IT departments.
While IT budgets may increase slightly, the stark reality is security professionals will have to do more with less. Creativity is the key here. Perhaps the best approach is to focus on activities such as training, or take a second look at documentation and policies and procedures that may have been collecting dust on a bookshelf.
For projects that are essential to get completed, you'll need to articulate the value to the company's bottom line, the cost of brand damage should a breach and subsequent disclosure occur, and the value of protecting vital intellectual property.
The fallout for Wall Street, in particular, will be more oversight and regulations. As in years past, the compliance argument may be just the right approach to get a particular project funded. My guess is 2009 will be the year of getting your security house in order--cleaning up policies, brushing up on security awareness training and hunkering down and hoping for a better 2010.