During the depths of the recession last year, a global company with 1,700 employees laid off its three-member security department, along with half of its IT department, recalls Mark Kadrich, CEO of The Security Consortium, a security-services firm. "People who weren't directly associated with producing or supporting product were considered expendable," says Kadrich, who also is president of the Silicon Valley chapter of the Information Systems Security Association (ISSA).
At the other end of the spectrum, growing corporate recognition of the importance of security along with ever-present compliance requirements protected some security teams from the worst effects of the recession. In between, lots of CISOs and security managers were forced to put projects on hold and stretch tight budgets.
Now, with a few spotty signs of an economic recovery, what should security teams be doing to prepare for better times? What should they be focusing on to position themselves for success when a recovery takes full force?
Security professionals and industry experts say savvy security managers will take hard-learned lessons from the economic downturn to build better security for the future. The focus will still be on efficiency, with a sharp eye on aligning security efforts with the business and taking a risk-based approach as organizations weigh emerging technologies like social media and cloud computing.
"The most important thing a chief security officer should be doing is working closely with their business counterparts and prioritizing security initiatives based on operational risk and satisfying compliance requirements," says Jonathan Gossels, president and CEO of security consulting firm SystemExperts. "The days of security for security's sake are past."
Let's take a look at how security teams fared during the recession and what security experts say they'll need to focus on moving forward.
How much of an impact the recession had on security departments kind of depends on whom you talk to. Gossels says the impact was far ranging.
"Unlike the previous recessions we've seen where security was largely spared, this past recession took a toll," he says. "Many organizations went into survival mode. They hunkered down, froze spending and tried to retain critical staff."
Khalid Kark, vice president and principal analyst at Forrester Research, says the vast majority of security organizations experienced flat budgets and put future plans on hold. For example, companies tended to put the brakes on large-scale, multi-year projects like identity and access management initiatives. However, many CISOs reported no cutbacks in their day-to-day running of security operations, he says.
"The realization persisted that you need basic security to survive, even during the downturn," Kark says.
In fact, some security professionals say security was largely spared from the ravages of the economic downturn. "One fundamental reason is that security isn't an option," says Jay Arya, a vice president and information security officer at Short Hills, N.J.-based Investors Savings Bank. "The problems -- the bad guys and malware -- are always going to be there."
The recession took its toll on the banking industry overall but that didn't change the compliance requirements banks face, including Gramm-Leach-Bliley and the Red Flags Rule, says Tony Meholic, information security officer at Philadelphia-based Republic First Bank.
"The good thing was that information security wasn't as drastically affected as other areas, but the information security officer still had to be prepared to maintain compliance and security in the likelihood of not getting more budget," he says.
Meholic says a growing recognition by the C-level of the need for security helped provide a buffer: "It's getting more apparent at that level that it's cheaper to have security built in, whether that's devices or staffing, rather than pay for a data breach."
Results from this year's (ISC)2 Career Impact Survey illustrate the value placed on security within organizations despite a tough economic environment, says Hord Tipton, executive director of the nonprofit (ISC)2, which issues the Certified Information Systems Security Professional and related credentials. More than half of the nearly 3,000 security professionals surveyed worldwide received salary increases last year. Among the survey's 1,800 U.S. participants, 11 percent saw their salaries cut and only 5 percent were laid off.
"There are a lot of good signs showing that security people have gained newfound respect," Tipton says. "They're being listened to, and at this point, compensated and retained."
|Bucking the odds|
Security defies recession with salary increases and few layoffs, according to (ISC)2 survey
Despite a worldwide recession, many security professionals actually received raises last year and hiring is on the rise, according to the (ISC)2 2010 Career Impact Survey.
Of the nearly 3,000 survey participants worldwide, about 53 percent got raises in 2009. Among the survey's 1,800 U.S. participants, 55 percent received pay increases. Only 4.8 percent were laid off globally; 5 percent in the U.S. lost their jobs.
More than 800 respondents with hiring responsibilities participated in the survey, and 40 percent said they will be hiring three or more new permanent or contract security professionals this year. In last year's (ISC)2 survey, only 13 percent said they would be doing so.
Hiring managers said they were looking for candidates with specific skills: operations security; access control systems and methodology; information risk management; applications and system development security; and security architecture and models. More than 90 percent said finding candidates with the right skills and experience was their biggest challenge.
But not all the survey findings were rosy. While 55 percent of U.S. respondents don't expect layoffs this year, 21 percent do. Fifty-five percent of participants worldwide said the recession cut their security technology spending and 31 percent believe the economy will continue to hold back purchasing in 2010. In addition, 34 percent of U.S. respondents believe the downturn is increasing security risk in their organization.
It's a good time to be a security professional, but it doesn't mean there isn't any weeding out happening in organizations, says Hord Tipton, (ISC)2 executive director. "We're seeing a sharpening in how companies define what they need in terms of skills," he says. At the same time, companies are using more sophisticated technology that increases efficiency and could result in trimming workforces, he adds.
At the same time, however, half of the survey respondents reported that their information security budgets decreased somewhat or significantly in 2009. In the U.S., about 36 percent expect no change in their budget for this year. That's in line with Information Security's Priorities 2010 survey, where 37 percent of respondents expect their budgets to remain flat this year.
Consequently, efficiency will continue to be the name of the game. For many organizations looking for ways to maintain security on a tight budget, outsourcing was a top option during the recession and the trend will likely continue, experts said.
"A lot of companies are focused on figuring out where they can create efficiencies. The first issue that comes up is, 'What is our core skill set and what can be handed over to other people who can do a better job of it?'," Kark says. "The average company may not have the skill set or competency to manage, monitor and respond to security threats on a 24x7 basis. If you have an outsourcer helping you with that, a lot of the minute details of the device monitoring goes to the managed security service provider."
Last year, companies that reduced security staff outsourced tactical and operational positions, leading to an increase in revenue of six to eight percent for managed security services, Kark says. CISOs then had the work of retaining an outsourcer, but managed to maintain specific skills and competency. According to a January Forrester report by Kark, the outsourced security market has grown from email and Web filtering to a holistic set of offerings, including vulnerability management, log aggregations, and analysis.
Organizations made a big push towards outsourcing because they "couldn't afford to not have security," Arya says.
While outsourcing security operations like penetration testing or vulnerability assessment was a good way for companies -- particularly small and midsize businesses -- to boost their security without having to add headcount, there were a couple pitfalls, Meholic notes. Tight budgets might have forced some companies to look at smaller, less expensive managed security vendors, which can lead to some less-than-solid offerings.
"Everyone thinks they can provide these services," he says. "The information security officer had to be able to discern quickly who the true professionals are."
Also, the reliance on third parties made it imperative that companies have a robust vendor management program, and some SMBs were caught without having a repeatable process, Meholic says: "If you don't have a proper vendor management program, you might engage a vendor that doesn't have all the safeguards and controls. You're exposing your company unnecessarily by doing that."
He recommends that organizations not rely solely on outsourcers who show proof of compliance a standard like the PCI DSS; rather, they should conduct phone interviews with vendors (or onsite interviews with critical vendors) and ask a lot of questions about their security controls before signing a contract.
If the need for a vendor management program was one lesson the recession taught, the need to align security with business needs was another. While nothing new for the security profession, the recession made it a priority.
"We in information security are still like little kids, where we get excited about a new technology or tool. This [recession] was a reality check to step back and figure out if it makes sense in the business context," Kark says.
In the past, some companies bought security tools that ended up sitting on the shelf due to complicated issues like integration, but the days of that kind of waste are past, he says. CISOs and security managers are increasingly being asked to justify the business case around security, which is maturing the profession.
"Yes, security may be important and that compliance mandate needs to be met," Kark says. "But you have to figure out whether you want to go with the best tool out there or find other ways to mitigate a risk in a lot cheaper fashion."
The Security Consortium's Kadrich says savvy security professionals will be talking to the business leaders in their organization to understand how business processes are evolving and come up with a plan that grows with the business.
"The security people who are just technologists need to understand more about the business," he says. "They can't just throw technology at this stuff."
As organizations look to restart security projects that were put on hold during the downturn, one tactic they're using to increase efficiency is to take a modular approach with large-scale projects like identity management, Kark says.
"Vendors are being pushed to deliver the same things in smaller chunks," he says. "What kind of modularity can be added to the scope of the project to reduce the upfront investment required?"
Overall, a risk-based approach is key to aligning security with business goals, experts say.
"The discussion should really along the lines of 'what are our risks and what could really damage us as a business,' then putting in place programs to protect against that," Gossels of SystemExperts says.
Companies are shifting away from a threat-based security model to a risk-based one, he says: "It's impossible to think of every possible threat because new threats come up every day. It's important to start from the mindset of what it is we're really trying to protect and what controls need to be in place."
Meholic says a well-thought out information security plan is based on a robust risk-assessment process; when gaps are identified, the security officer can take those issues to executive management and justify the need for more staffing or technology. But any time in front of the C-suite needs to spent wisely, he advises. Don't talk about cross-site scripting, which executives don't understand and don't care about.
"Make sure you take advantage of that exposure by showing them the critical issues at a level they understand," Meholic says, adding that he's found that graphical charts help in his bimonthly reports to the board.
|Where's the Recovery?|
Economists' reports aren't tremendously encouraging
The World Bank's Global Economic Prospects 2010 report says the "acute phase" of the economic crisis is past and a recovery is underway but expected to slow in the second half of this year.
The International Monetary Fund's World Economic Outlook Update, published in January, says the recovery is expected to remain sluggish in most advanced economies
As companies look to gain efficiencies or develop their business, they're looking to newer technologies like cloud computing, virtualization and social media. Security professionals have a key role to play in educating businesses about the risks associated with those technologies, and experts say smart security pros will hone that role.
"The business leaders are saying, 'All these things I can do with these open platform tools are fantastic," says Jack Phillips, chief executive and co-founder of IANs, a Boston-based technology research firm. "That's a huge opportunity for information security to be a real leader, by being the guide to businesses that want to deploy new technologies to drive their business."
"The budget question is certainly there, but it's in the rear mirror compared to the challenges of the new technologies," he adds.
Forward-thinking security professionals are reshaping their risk profiles to cover technology game-changers like collaborative media and the proliferation of portable devices, (ISC)2's Tipton says: "We're not in a position to say, 'We don't like this and were not going to do it'."
Many enterprises are making a big push towards cloud computing services as way to cut costs and become greener, which is putting a lot of pressure on security teams to quickly evaluate cloud services, says Kadrich. Evaluating cloud services is complicated by the fact "there's not enough testing, validation or high-level assurance," on the model, he adds.
"The savvy security people should be talking to their executive staff about this problem and helping understand not just what the problem is now but about how it will evolve over the next six to 12 months," Kadrich says.
Security teams will need to work with corporate legal teams to ensure the enterprise is protected when contracting with a cloud provider, he advises.
"You've got walls and alarm systems and vetted people to reduce your risk, but when you move into the cloud, all you have are promises," Kadrich says.
But as security executives tackle cloud computing and other technologies, they'll need to make sure their staffers aren't looking for other opportunities as the economy improves.
"If you have a critical security person with expanding employment and compensation options, they may jump ship," Arya says. "Losing talent in this specialized field is always a concern."
According to the (ISC)2 survey, more than half of the 800 respondents with hiring responsibilities plan to hire either permanent or contract employees this year. That's an improvement over the 44.5 percent of hiring managers last year who said they expected to hire workers.
In a better economic environment, pay expectations rise with increased job opportunities, making it harder to find talent, Arya notes. However, organizations shouldn't resort to paying less for fewer skills. "The right talent and the right person are the number one criteria for any crucial position," Arya says.
Last year, many security executives spent a lot of time trying to keep their staff motivated and happy so they could emerge from the recession with their teams intact, Phillips says. The addition of temporary workers and consultants by cost-conscious enterprises challenged security managers to maintain staff morale, he adds.
In addition to staff retention, employee education is a focus for some organizations, especially as they move forward with new technologies.
USA Fed will soon roll out a robust mobile banking platform; the implementation plan includes mobile security education. The training investment targets both the credit union's staff and its members on the new platform and how to use it securely, says Carolyn James, senior vice president and CIO at the San Diego, Calif.-based credit union.
Sixty percent of USA Fed's members -- many of whom are in the military -- don't live near one of the credit union's branches; the organization is rolling out a mobile banking platform for both its overseas and stateside members. Mobile banking is relatively new and it's important that the credit union educate everyone on how safe the new channel is compared to online banking, James says.
"We must invest money in getting our membership up to speed so they understand mobile banking is safe and secure," James says.
According to Kark, employee training and awareness is one of the top security strategies enterprises should deploy this year. Companies need to train their employees but also maintain regular communication about the changing threat environment in order to create a culture of information security awareness. One technology company spends 10 percent of its security budget on training and awareness to manage the risks of social media and consumerization, he wrote earlier this year.
APPROACH WITH CAUTION
To be sure, organizations are far from celebrating an economic recovery and many are anxiously awaiting signs of real improvements in the economy. There have been some encouraging signs, but organizations shouldn't let their guard down, Tipton says.
"Not everyone has turned their budgets loose because they share the same concerns: Is this recession really over and how long do we wait before we're comfortable in making changes and investments?" he says.
Marcia Savage is Editor of Information Security. Send comments on this article to firstname.lastname@example.org