Network security 2009 trends: Mergers, security budget cuts

Don't miss need-to-know info! Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!

We'll be asked to do more with less. OK, I admit this one's not rocket science. It shouldn't be a surprise to anyone that the global economy is in tough shape, and we've yet to get even a glimpse of the light at the end of the tunnel. For network security managers that haven't already been asked to reduce the size of their staffs or budgets, now's a good time to start drafting a contingency plan. While the hope is that security budgets will remain intact, security managers would be wise to consider how they would implement a 5%, 10% or even greater budget reduction. This exercise can be beneficial even if a budget isn't reduced, as it shines a spotlight on the less effective ways that financial resources are currently being used. In addition, ponder ways to optimize the use of security staff. If you planned on adding headcount to your organization in the near future, there's a good chance you'll be asked to back-burner those plans. Are there ways your staff can do more with less? Would any of your staff be willing to move to part-time status if the opportunity arose? Could flexible work arrangements or title changes be used as an alternative to pay increases if budgets are tight this year? Would the use of managed service providers (see below) help to reduce the demands on your staff?

Preserving jobs is always a top priority, and to do so, it may be essential to demonstrate that you've got your eye on the bottom line and are willing to make tough choices for the benefit of the organization. For example, if you've budgeted an expensive firewall upgrade this year, it's smart to consider whether that upgrade cycle can be extended by 12 months. Moving from a four-year to a five-year hardware replacement cycle is equivalent to a 20% cost savings. If after an analysis it's determined that the upgrade needs to happen now, be prepared to explain to the CIO exactly why the new product should take priority over others being considered.

Several vendors will close their doors or consolidate. The tough economic times won't be limited to those of us on the client side. Our shrinking budgets will cause a ripple effect in the security vendor community, and several vendors currently "on the bubble" may slip off the radar. Those with solid products and/or customer bases may be purchased by larger firms seeking to expand. I've already seen this happen once in late 2008 when High Tower Software suddenly ceased operations and announced its intent to sell its Cinxi SIEM platform. This is an important trend to keep in the back of your mind if you're lucky enough to be in purchasing mode right now. Buyers may want to think twice before entering into a long-term relationship with a smaller firm that may not survive the year. The loss of a vendor can have a serious effect on network security operations. Depending upon the type of device and its role in the infrastructure, it could severely affect the organization's security posture. For example, a firewall vendor going out of business is a big deal; if the device malfunctions or fails altogether, support will no longer be available, and this could jeopardize the availability of the entire infrastructure. That said, the failure of an antivirus vendor is a catastrophe; virus definition updates would no longer be available and the effectiveness of the organization's malware defense system will degrade rapidly. In addition to considering financial stability as a criteria during any vendor selection process, now would be a good time to take stock of the financial status of all current vendors to determine whether you need to re-evaluate those relationships.

For more on security in 2009 Learn how security managers this year will need to find ways to enhance security with a decreased budget. John Strand reviews security attacks we can expect in 2009.

We'll continue to witness the rise of managed service providers. Many security services are quickly approaching commodity status, and, amid pressures to minimize headcount, many enterprises have sought to outsource security tasks to the greatest extent possible. I've seen several organizations adopt Software-as-a-Service (SaaS) products, such as the vulnerability-scanning platform from Qualys Inc. and the Web vulnerability scanner from WhiteHat Security Inc., as a way to reduce costs. At the same time, vendors who traditionally sold security appliances are shifting to a NOC approach, offering 24x7 monitoring and maintenance for firewalls, intrusion prevention systems and the like. SaaS security tools offer tremendous benefits; enterprises are no longer responsible for maintaining and upgrading the tool itself, and your staff is left working in its core area of expertise: security management. Managed service providers take this a step further and outsource the analysis as well. On the flip side, using any of these services introduces some degree of risk, as confidential information about security posture is being shared with a third party. If you're not already considering using one of these services, put it on your short-term radar screen.

Our mindset will shift from compliance to operations. Whether you like it or not, many of us have spent the last three to five years focused on compliance issues. PCI DSS, Sarbanes Oxley, HIPAA and GLBA are just a few of the laws and regulations that security managers have been tasked with managing or helping with. Now that the industry has focused on compliance for some time, the urgency to comply by and large has lessened to a degree. Expect to see pressure from within the organization to move your security resources back into a supporting role, providing security consulting support to business initiatives.

I don't mean to paint a "doom and gloom" picture for 2009; the coming 12 months will be full of opportunities to grow and excel. Take the opportunity to streamline the use of both human and financial resources. It's healthy for any organization to periodically re-evaluate expenses, vendor relationships and business priorities. However, it would be ignorant to stick our heads in the sand and attempt to ignore the state of the economy and the potential impact it will have on our business. Rather, it's important to adopt an opportunistic attitude and prepare for the inevitable changes we'll face. Best wishes for a happy and prosperous 2009!

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Emerging Information Security Threats,   Information Security Threats,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics How to properly implement firewall egress filtering What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation PuTTY configuration tips: How to connect to remote network systems A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless access points with Vistumbler Emerging Information Security Threats Leverage Google Attacks to Improve Cybersecurity SCADA system, critical infrastructure security lacking, survey finds Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Information security podcasts: 2009 archive Hathaway calls for international cybercrime task force Active PDF attacks target Reader, Acrobat zero-day vulnerability Sites hit with massive automated SQL injection attack Cybercriminals invest in social networking attacks Best practices for (small) botnets RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.