The tough economy is taking its toll on most IT projects, but a new report from EMC's RSA security division highlights several ways security pros can try to work with management to get continued funding for ongoing security initiatives.
To get security news and tips delivered to your inbox,
The report, Driving Fast and Forward: Managing Information Security for Strategic Advantage in a Tough Economy, was released by the Security for Business Innovation Council, a group of 10 security executives chosen by RSA. It gives practical ways to find the business value in security without impeding the company's bottom line such as demonstrating that security controls address multiple areas of risk at once.
Perhaps the biggest hurdle security pros face is the longstanding misconception that security inhibits innovation, said Art Coviello, president of RSA. That misconception could change if security can give management the confidence to move forward in the context of risk, Coviello said.
"Historically a lot of security people have been pretty binary. Either it's secure or it isn't," Coviello said. "The main recommendation of this report and previous reports from the Council is to have a different mindset about security and not say no, but yes and here's how."
Security in tough times:
Security spending continues despite shaky economy, Forrester finds: An uncertain economy is causing many companies to do some budget tightening, but the continued barrage of data breach news has helped keep data security a priority in most company board rooms.
Security skills pay increases despite economic downturn: Despite the dour economy, new skills pay data suggests security managers are benefiting as CIOs look to retrench to survive the tough times ahead.
Finding a security management job after an economic downturn: When the economy's tight, what's the best way to find work as a security manager with the CISSP certification?
The report outlines three levels of security activities: policy development and threat research, typically covered by the security department; day-to-day operations, such as assessing the status of patches and running configuration tools, covered by both security and IT; and project management in which security typically handles the risk assessment and required security controls. Coviello said project management would likely bare the brunt of the economic crisis.
"There will be fewer projects and that will be a damper on security initiatives," Coviello said. "People are far more likely to keep the status quo in their environment and only react to threats."
Over the last few months the risk appetite of many organizations has increased, causing security to suffer, said Khalid Kark, senior analyst at Forrester Research Inc. Increased risk acceptance is most evident in the manufacturing and airline industries where management has cut back on funding projects that increase security, Kark said.
"Because of this economic crunch management is making hard decisions on their security investments," Kark said.
Companies are sticking to the basics, Kark said. Recent Forrester survey data suggests that data protection continues to be the top priority at most firms, followed by protecting customer data to avoid a security breach and locking down the company's intellectual property. What is changing is the way companies invest in new security projects, Kark said.
"The priorities remained the same, but the interaction with vendors has slightly changed," Kark said. "Security projects and investments are being done in a more modular fashion, giving organizations the ability to change course when necessary."
RSA's Coviello said the management of risk has not kept pace with technology advances in recent years.
"[Technology] has given us the speed, agility and volume of transactions we would have thought unimaginable ten years ago," Coviello said. "There's a general sense that we need to do a better job understanding risk, but also using security, you can be more effective by automating risk management."
The report urges security pros to look for areas within company divisions or departments where security is not executing against business objectives effectively or efficiently. It urges security pros to consider moving to outsourced services for some security functions. Other inefficiencies should also be addressed. Certain business users can perform some security tasks with the deployment of the right tools and training, according to the report.
"The big problem is less about security and more about how hideously complex information infrastructures are," Coviello said. "A lot goes into how to secure them, but there aren't enough trained people to do the job."