Report offers security strategy tips to overcome funding problems

By Robert Westervelt, News Editor 10 Feb 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The tough economy is taking its toll on most IT projects, but a new report from EMC's RSA security division highlights several ways security pros can try to work with management to get continued funding for ongoing security initiatives.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The report, Driving Fast and Forward: Managing Information Security for Strategic Advantage in a Tough Economy, was released by the Security for Business Innovation Council, a group of 10 security executives chosen by RSA. It gives practical ways to find the business value in security without impeding the company's bottom line such as demonstrating that security controls address multiple areas of risk at once.

Perhaps the biggest hurdle security pros face is the longstanding misconception that security inhibits innovation, said Art Coviello, president of RSA. That misconception could change if security can give management the confidence to move forward in the context of risk, Coviello said.

"Historically a lot of security people have been pretty binary. Either it's secure or it isn't," Coviello said. "The main recommendation of this report and previous reports from the Council is to have a different mindset about security and not say no, but yes and here's how."

Security in tough times: PCI costs slow compliance projects in down economy: PCI projects at some firms face scrutiny and funding shortfalls due to the economy. Security spending continues despite shaky economy, Forrester finds: An uncertain economy is causing many companies to do some budget tightening, but the continued barrage of data breach news has helped keep data security a priority in most company board rooms. Security skills pay increases despite economic downturn: Despite the dour economy, new skills pay data suggests security managers are benefiting as CIOs look to retrench to survive the tough times ahead. Finding a security management job after an economic downturn: When the economy's tight, what's the best way to find work as a security manager with the CISSP certification?

The report outlines three levels of security activities: policy development and threat research, typically covered by the security department; day-to-day operations, such as assessing the status of patches and running configuration tools, covered by both security and IT; and project management in which security typically handles the risk assessment and required security controls. Coviello said project management would likely bare the brunt of the economic crisis.

"There will be fewer projects and that will be a damper on security initiatives," Coviello said. "People are far more likely to keep the status quo in their environment and only react to threats."

Over the last few months the risk appetite of many organizations has increased, causing security to suffer, said Khalid Kark, senior analyst at Forrester Research Inc. Increased risk acceptance is most evident in the manufacturing and airline industries where management has cut back on funding projects that increase security, Kark said.

"Because of this economic crunch management is making hard decisions on their security investments," Kark said.

Companies are sticking to the basics, Kark said. Recent Forrester survey data suggests that data protection continues to be the top priority at most firms, followed by protecting customer data to avoid a security breach and locking down the company's intellectual property. What is changing is the way companies invest in new security projects, Kark said.

"The priorities remained the same, but the interaction with vendors has slightly changed," Kark said. "Security projects and investments are being done in a more modular fashion, giving organizations the ability to change course when necessary."

RSA's Coviello said the management of risk has not kept pace with technology advances in recent years.

"[Technology] has given us the speed, agility and volume of transactions we would have thought unimaginable ten years ago," Coviello said. "There's a general sense that we need to do a better job understanding risk, but also using security, you can be more effective by automating risk management."

SearchSecurity radio:

The report urges security pros to look for areas within company divisions or departments where security is not executing against business objectives effectively or efficiently. It urges security pros to consider moving to outsourced services for some security functions. Other inefficiencies should also be addressed. Certain business users can perform some security tasks with the deployment of the right tools and training, according to the report.

"The big problem is less about security and more about how hideously complex information infrastructures are," Coviello said. "A lot goes into how to secure them, but there aren't enough trained people to do the job."

Tags: Business Management: Security Support and Executive Communications,  Enterprise Risk Management: Metrics and Assessments,  Security Industry Market Trends, Predictions and Forecasts,  Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Business Management: Security Support and Executive Communications Cost of security, IT management add up at healthcare facilities, study finds Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Aligning network security with business priorities RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence New partnerships, creative thinking help security bust recession How to align an information security framework to your business model Enterprise Risk Management: Metrics and Assessments How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management Enterprise Risk Management: Metrics and Assessments Research Security Industry Market Trends, Predictions and Forecasts Hackers to sharpen malware, malicious software in 2010 Part 1: Marcus Ranum on the state of information security Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security Part 3: Marcus Ranum on the state of information security Part 5: Marcus Ranum on the state of information security Layoffs prompt insider threat fears, cybersecurity survey finds Healthcare security spending remains sluggish, report shows How to use Internet security threat reports M86 buys Web security gateway vendor Finjan Security Industry Market Trends, Predictions and Forecasts Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary security  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary