It's always an interesting and worthwhile exercise to begin a new year by pausing and reflecting on the emerging security trends that are likely to blossom in the coming year. Changes in the global economic and business landscape will likely have a significant effect upon the information security industry. Let's take a look at a few predictions specific to network security and how an organization can be ready for these possibilities.
We'll be asked to do more with less. OK, I admit this one's not rocket science. It shouldn't be a surprise to anyone that the global economy is in tough shape, and we've yet to get even a glimpse of the light at the end of the tunnel. For network security managers that haven't already been asked to reduce the size of their staffs or budgets, now's a good time to start drafting a contingency plan. While the hope is that security budgets will remain intact, security managers would be wise to consider how they would implement a 5%, 10% or even greater budget reduction. This exercise can be beneficial even if a budget isn't reduced, as it shines a spotlight on the less effective ways that financial resources are currently being used. In addition, ponder ways to optimize the use of security staff. If you planned on adding headcount to your organization in the near future, there's a good chance you'll be asked to back-burner those plans. Are there ways your staff can do more with less? Would any of your staff be willing to move to part-time status if the opportunity arose? Could flexible work arrangements or title changes be used as an alternative to pay increases if budgets are tight this year? Would the use of managed service providers (see below) help to reduce the demands on your staff?
Preserving jobs is always a top priority, and to do so, it may be essential to demonstrate that you've got your eye on the bottom line and are willing to make tough choices for the benefit of the organization. For example, if you've budgeted an expensive firewall upgrade this year, it's smart to consider whether that upgrade cycle can be extended by 12 months. Moving from a four-year to a five-year hardware replacement cycle is equivalent to a 20% cost savings. If after an analysis it's determined that the upgrade needs to happen now, be prepared to explain to the CIO exactly why the new product should take priority over others being considered.
Several vendors will close their doors or consolidate. The tough economic times won't be limited to those of us on the client side. Our shrinking budgets will cause a ripple effect in the security vendor community, and several vendors currently "on the bubble" may slip off the radar. Those with solid products and/or customer bases may be purchased by larger firms seeking to expand. I've already seen this happen once in late 2008 when High Tower Software suddenly ceased operations and announced its intent to sell its Cinxi SIEM platform. This is an important trend to keep in the back of your mind if you're lucky enough to be in purchasing mode right now. Buyers may want to think twice before entering into a long-term relationship with a smaller firm that may not survive the year. The loss of a vendor can have a serious effect on network security operations. Depending upon the type of device and its role in the infrastructure, it could severely affect the organization's security posture. For example, a firewall vendor going out of business is a big deal; if the device malfunctions or fails altogether, support will no longer be available, and this could jeopardize the availability of the entire infrastructure. That said, the failure of an antivirus vendor is a catastrophe; virus definition updates would no longer be available and the effectiveness of the organization's malware defense system will degrade rapidly. In addition to considering financial stability as a criteria during any vendor selection process, now would be a good time to take stock of the financial status of all current vendors to determine whether you need to re-evaluate those relationships.
We'll continue to witness the rise of managed service providers. Many security services are quickly approaching commodity status, and, amid pressures to minimize headcount, many enterprises have sought to outsource security tasks to the greatest extent possible. I've seen several organizations adopt Software-as-a-Service (SaaS) products, such as the vulnerability-scanning platform from Qualys Inc. and the Web vulnerability scanner from WhiteHat Security Inc., as a way to reduce costs. At the same time, vendors who traditionally sold security appliances are shifting to a NOC approach, offering 24x7 monitoring and maintenance for firewalls, intrusion prevention systems and the like. SaaS security tools offer tremendous benefits; enterprises are no longer responsible for maintaining and upgrading the tool itself, and your staff is left working in its core area of expertise: security management. Managed service providers take this a step further and outsource the analysis as well. On the flip side, using any of these services introduces some degree of risk, as confidential information about security posture is being shared with a third party. If you're not already considering using one of these services, put it on your short-term radar screen.
Our mindset will shift from compliance to operations. Whether you like it or not, many of us have spent the last three to five years focused on compliance issues. PCI DSS, Sarbanes Oxley, HIPAA and GLBA are just a few of the laws and regulations that security managers have been tasked with managing or helping with. Now that the industry has focused on compliance for some time, the urgency to comply by and large has lessened to a degree. Expect to see pressure from within the organization to move your security resources back into a supporting role, providing security consulting support to business initiatives.
I don't mean to paint a "doom and gloom" picture for 2009; the coming 12 months will be full of opportunities to grow and excel. Take the opportunity to streamline the use of both human and financial resources. It's healthy for any organization to periodically re-evaluate expenses, vendor relationships and business priorities. However, it would be ignorant to stick our heads in the sand and attempt to ignore the state of the economy and the potential impact it will have on our business. Rather, it's important to adopt an opportunistic attitude and prepare for the inevitable changes we'll face. Best wishes for a happy and prosperous 2009!
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.