The economic doldrums are causing IT departments worldwide to re-evaluate security projects. This forces many critical decisions on where to reduce security investments while maintaining a healthy security profile. There are four categories that can be used by IT and security vendors to help prioritize security programs and refine their value to sales prospects. In these lean times, it is important to make these hard decisions.
Support projects that drive new sources of revenue.
The first order of business for most organizations is to make it easier to acquire and retain new customers, and this is the first place to invest in security. IT is moving ahead on projects that secure access to Web applications because it can offset the expenses against the promise of future revenues. Security products for identity and access control, protection of customer data and inspection of Web traffic are essential ingredients for expanding application access. Security vendors will need messages that enable the business to expand efficiently with Web and cloud-based applications.
Drive major cost savings through technology.
The second priority for IT organizations is to deliver substantial cost savings through innovative uses of technology. Projects in this category are prioritized by cost savings and the ability for IT to execute. Major trends such as virtualized application services, remote access and cloud services can save the organization substantial sums of money. Security technologies that allow IT to reduce administration costs, such as configuration controls, command and control server white listing, and audit of virtual machine usage may do well here.
Meet mandatory compliance requirements.
All large organizations have to comply with certain security mandates. They have to do it, but they don't have to like it. These projects lend themselves to spending the least amount of money required to clear compliance hurdles. IT is likely to put additional weight on administrative overhead and price in comparison to product features and performance when defining best-of-breed requirements. Security products oriented towards audit controls and automated compliance reporting are appropriate in this category.
Replace under-performing products.
The least attractive category for security investment is one of displacing deployed products that have not aged gracefully and can no longer effectively support the business. IT hates reinvesting in technologies when there are so many other opportunities with greater benefits to the business. Security products in this category may include SIEM products that struggle to keep up with event volumes or firewalls that need performance boosts. The sense of urgency of these projects may vary greatly from organization to organization.
IT can segment corporate projects into these four categories and then map security technologies that prevent, detect, audit and control against security incidents for each project. At the end of this exercise security teams will have a game plan that maps into business priorities while allowing for advances in security effectiveness. In this economy, security vendors must make brutally honest assessments of their value and manage their business appropriately. The list of security vendors with "must have" products will grow shorter in 2009.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.