Grimly and anticlimactically, the National Bureau of Economic Research made it official on Dec. 1 that the United States economy had been in a recession for more than a year. The projections for when the wounded dollar would be able to right itself weren't much better, with experts forecasting a continued downturn throughout this year with slight recovery starting in 2010.
Few markets are immune to a recession, yet information security seems somewhat armored against economic troubles. Why? Compliance requirements don't deflate in a recession. Hackers don't lower their swords in a recession. Laid off insiders aren't less disgruntled in a recession. And integration woes brought on by endless mergers aren't lessened in a recession.
But information security isn't completely recession proof. CISOs are facing flat budgets (or ever-so-slight increases) and non-essential projects and upgrades are being delayed almost across the board. Smart CISOs will be forced to vigilantly measure risk in order to strategically prioritize projects, decide which new projects should be funded or delayed and which functions to outsource.
CISOs have to walk a narrow tightrope this year, unsure whether economic recovery or deeper cuts await on the other side.
Do More With Less So what can you do to balance fiscal responsibility and an upright security posture in 2009? It won't be easy.
Hackers smell blood in the water during down economies. You can
Ironically enough, if new privacy regulations ultimately brought on by the recession -- in addition to those enacted already in Nevada and coming in May in Massachusetts -- are put in place, that may bring on a new spend cycle for security in the next 18-24 months.
In the meantime, you aren't waving the white flag. Seventy percent of the 800 security professionals who responded to a question about budgets in Information Security's Priorities 2009 survey said security budgets would stay flat (28 percent) or increase anywhere up to 25 percent (see chart, below). Rather than upgrade infrastructure and software at regular intervals, companies are taking a second look at the security tools they have implemented and taxing those to their limits. More emphasis on awareness training is another strategy companies say they'll use in '09 to contain costs.
"I'm heartened by the fact that security is not taking a hit. People are saying just because things are difficult in the market, we're not going to let our guard down, because it's going to cost us more in the long run," says Howard Schmidt, president and CEO of the Information Security Forum, and former White House cybersecurity czar. "[Hackers] anticipate security pros are distracted doing other things and anticipating that this is the time to strike when people are not focusing on security. But everybody who has been in this business a while says this is the time to strengthen resources."
James Routh, chief information security officer for The Depository Trust and Clearing Corporation (DTCC), says there are innovative ways to use the technology and people you have in-house to keep costs in check. The DTCC has done so by implementing security controls early in the software development lifecycle, employing security assessments for service providers, purchasing automation tools for knowledge management, using network monitoring tools to keep an eye on inbound and outbound traffic, and finally, outsourcing some day-to-day security functions.
"There's a perception if budgets are cut, innovation goes with it. I would say it's just the opposite," Routh says. "I would say we have to be more innovative and adopt best practices with an eye toward saving operating costs as we do it. It requires some level of innovation to do that. Regulators fear an economic downturn means lower spend on information security, and that means higher risk. That's not true as long as innovation is applied."
The DTCC clears and settles equity, bond and mortgage-backed securities, money market transactions and over the counter derivatives for corporate and government customers. In 2007, it processed $1.8 quadrillion in securities on the back of a core processing infrastructure with industrial strength resiliency and security. Routh's security program is mature, a key factor in the decision to trim spending on hardware, software and people for the first time in four years. Routh says his organization's risk management capabilities aren't suffering in 2009, but some projects such as an evaluation of Web application firewalls are being postponed (see chart, below).
"There's a few nice-to-have projects we've made a conscious decision not to spend money to evaluate the technology or to implement -- at least not this year," Routh says. "In our case, we've been doing a bunch of core process implementations, like security monitoring and identity management, and those we're continuing to fund. There's one or two other projects that were emerging technology-type projects that we've decided to put on the back burner."
One of Routh's big wins is inserting security controls early into software development lifecycle at the DTCC. Vulnerabilities are weeded out well before they appear in functional code that ends up in production and that has resulted in close to $2 million in productivity gains on a base of $150 million spend for development, Routh says.
"Those gains are exclusively the result of having mature and effective controls within our system and software development lifecycle," Routh says. This is a three-year-old initiative that educates and certifies developers in all DTCC environments in security. Developers are also provided with the necessary code-scanning tools and consulting and services help to keep production code close to pristine.
"We've been able to take resource time and reinvest it in other highly productive activities as a result of our ability to weed out vulnerabilities so we don't have to fix code once it goes into production," Routh says.
The DTCC has also managed to dramatically trim its spending on service provider assessments through the adoption of the BITS shared assessment program, a set of tools for financial services organizations that includes questionnaires and best practices to help them evaluate a provider's security. The Standardized Information Gathering questionnaire is completed by the provider, and that is followed up by a third-party assessment of a provider environment using BITS' Agreed Upon Procedures (AUP) and its 44 standardized controls. Routh says the DTCC spent $300,000 on vendor site assessments in 2007, and chopped that down to $1,100 in 2008, and those costs were training related.
"We used to have to go onsite for all the vendors to do site assessments using our proprietary method, and it was expensive for providers and us (travel, time, cost)," Routh says.
"We don't have to do that any more. We can rely on the AUP. That's done by a third party. It's consistent. It's done against a better set of controls, and far more effective from a security standpoint than a SAS 70 review. The more firms that adopt it, the less we have to spend on assessments. That's an area where we've got substantial savings by adopting a best practice."
Automation is another area where enterprises can optimize processes and be efficient with resources. While the DTCC may be spending less on hiring new bodies for example, it can and will re-apply those resources toward automation. A knowledge management portal was purchased from Archer Technologies for all of the DTCC's core processes, including information security. The workflow for more than 100 applications was customized for the Archer tool. Now, rather than gathering and sharing documents, and responding to requests for additional information from regulators and auditors -- something that used to occupy 35 percent of Routh's team's time -- they are given access to the portal. Routh estimates his team now spends less than 15 percent of its time demonstrating due diligence because of the automation.
|Budget Tips: Line Items|
Here are five tips for stretching your organization's security budget.
ACCESS YOUR RISK. Affordable security begins with a thorough assessment of all possible vulnerabilities. A common first step is a risk assessment that determines the organization's risk profile based on threats, threat probabilities and vulnerabilities, potential business impact, and key performance indicators. By gaining awareness of truly compulsory concerns, companies can target specific needs and avoid a costly "shotgun" approach to IT security. For instance, if laptop theft is not a high risk, it is considerably less expensive to offer an education program to employees on laptop theft than to install an anti-theft solution on all laptops.
CONNECT PEOPLE AND PROCESSES. Technology enables the protection of data and systems, but it also involves people and processes. This fact should never be overlooked; if companies have invested in security, they need to maximize their investment by looking at the people and processes involved, too.
LOOK FOR A HETEROGENEOUS SOLUTION. Many organizations have built a data center with products from multiple vendors. Therefore, security solutions need to integrate with a variety of third-party products and support multiple platforms so that organizations do not have to pick and choose features or purchase multiple solutions in order to provide end-to-end security.
INVEST IN SECURITY THAT WILL GROW WITH YOUR BUSINESS. Future growth of the business should always be considered when planning for security. According to a recent study by IDC, unstructured data in traditional data centers is scheduled for a compound year over year growth of over 60 percent, which will increase the need for corresponding security. Choosing a solution that will grow with the business will save the cost and effort of reconfiguration a year down the road.
GO FOR EXPERTISE, NOT COST. After an in-depth risk assessment, it is essential to choose a security partner who can meet all business needs of an organization. A vendor with an extensive portfolio and proven expertise in the field can address current and emerging security concerns across the entire IT environment. This may not always be the least expensive option, but the cost of choosing the right partner in the beginning vastly outweighs the cost of a data breach brought on by an incomplete security strategy.
Source: Gary Lefkowitz, director, HP Secure Advantage
While the DTCC has a massive security infrastructure and a mature organization, midmarket companies find themselves having to be more innovative when it comes to reining in costs. Security budgets are often integrated into overall IT budgets and are annually usually less than $100,000. Still, more than 30 percent of Priorities 2009 respondents said it will be business as usual to an extent around security, primarily because of regulations such as HIPAA and PCI DSS that mandate formal security programs and the implementation of certain technologies such as encryption for PCI.
David M. Stephenson Jr., information systems manager for the Clark & Daughtrey Medical Group in Lakeland Fla., runs a four-person IT team, each of whom has responsibilities over security, including identity management, firewall administration and remote access. Stephenson says the security budget for the medical group's seven-location, 50-provider multispecialty practice is not subject to cuts this year primarily because of HIPAA, but also because the group is in the midst of a conversion to electronic medical records.
While some IT projects such as a server consolidation initiative via a VMware implementation, and the evaluation of a storage area network, are on hold, security projects are moving forward. Stephenson says he's looking into two-factor authentication for remote connections over an SSL VPN used by contracted transcription services or managers and physicians working outside the office.
"We've been told to hold off on upgrades unless there is something in the upgrade to the current release that fixes something that is broken," Stephenson says. "That would be OK, but if we want new features, that kind of stuff we're being told to hold off."
Since new features are out, midmarket companies such as Clark & Daughtrey and enterprises such as the DTCC are looking at infrastructure they own and are figuring how to stretch those investments beyond what they were initially purchased for.
Stephenson stresses that IT managers, in the midmarket in particular, must pay attention to the release notes for new features in updates to products they've purchased. Clark & Daughtrey, for example, outsources its email security (spam and spyware) to AppRiver, and has deployed eight Astaro Security Gateway boxes to handle network and endpoint security at its seven locations and 400 full-time and contracted employees. The Astaro boxes are all-in-one appliances that handle everything from firewall duties, antivirus, content and URL filtering, intrusion prevention and remote access via an SSL VPN.
Remote users for the longest time were connecting via VPN using a free Microsoft PPTP (point-to-point tunneling protocol) connection that Daughtrey says was a nightmare to configure and wasn't very secure. Reading through Astaro release notes after his arrival at the clinic, it had slipped through that Astaro had included an SSL VPN with a recent update to its gateways. Stephenson stresses that IT and security managers should be conducting similar exercises with the technology they have in-house today.
"If money gets cut, then that definitely is a good time to look and ask if we have something in place already? I don't want to find out that we have had a feature the whole time, paying maintenance for it, and not turning it on," he says. "Re-evaluate what you have. You may have been approved for what you need and not realize you've got it, and it may take just some training. You may get the primary purpose of a project done, but all the little secondary benefits get ignored because you don't have time to do it."
The DTCC's Routh suggests going further for enterprises with the resources to do so; tweak your intrusion detection systems, intrusion systems, network behavioral analysis tools to do what you may not have originally envisioned them to do.
"Basically use whatever perimeter toolset that exists for managing the perimeter and turn it to detect outbound malicious traffic," Routh says.
He points out that the bulk of today's Web-based attacks are about surreptitiously installing malware on a target machine that essentially, via keyloggers or the like, and phoning home sensitive information that an attacker can turn into a quick profit. "That's an example where the money we've already spent on perimeter-based networking tools today needs to be pointed inward within our enterprises to improve malware detection," Routh says.
"We used to worry about inbound traffic from external sources; that's what the tools are set up to do -- that's what a firewall is for," Routh says. "This day and age, it's more important to monitor outbound traffic, that's what will tell where you have infections."
Despite Economic Woes, Don't Let Your Guard Down
While it may be tempting to curb spending on a perceived cost center such as security during a recesssion, it's imperative that security managers convey to upper management the risks of lowering your shields.
"If you look at the world situation today, the economy is bad everywhere, and that tends to bring out more people seeking shortcuts to finding funds," says Dr. Gene Spafford, founder of the Center for Education and Research in Information Assurance and security (CERIAS) at Purdue University. "This is a bad time to cut back on your vigilance, or to postpone some very critical implementations. This is something you need to convey to management. This is a time when people committing fraud are getting more creative, and are larger in numbers. Your business is less able to absorb losses."
Former cybersecurity czar Schmidt, for one, is encouraged by talk he's heard that companies are dedicated to maintaining an upright security posture.
"When you're under siege," Schmidt says, "is not the time to let your defenses down."
Michael S. Mimoso is Editor of Information Security. Send comments on this article to firstname.lastname@example.org.
This was first published in February 2009