As evidence of a global economic slowdown mounts, information security professionals might be forgiven for eyeing their budgets with some trepidation. Will IT security spending escape the scrutiny of company directors in 2008 or fall prey to cost-cutting measures?
Some industry professionals argue that, in the face of recent high-profile breaches, issues such as data loss and identity theft have never been higher on the boardroom agenda - and that will protect security budgets.
"Our research shows that companies are taking action, rather than cutting back on their investments in this area," says John Colley, former chief informaton security officer at Royal Bank of Scotland and now managing director of industry body (ISC)2. "While there are concerns about economic slowdown, at the same time businesses are becoming increasingly sensitive to their responsibilities with regard to information security. There's pressure to ensure responsible, secure business practice coming from consumers, business-to-business customers, partners and regulation," he says.
And at the recent RSA conference in San Francisco, infosec professionals seemed largely optimistic about their spending plans for the year. In a survey of 300 attendees carried out by security appliance vendor Astaro, 67 per cent said they do not see their spending behaviour affected by the recession in 2008.
But that's a poll of people whose companies have paid for them to travel to California to attend the conference, clearly, their employers have some level of budget and a broad commitment to security education.
By contrast, industry analysts at IT market research company Gartner think it highly unlikely that security budgets will weather predicted economic turbulence quite as well as suppliers imply.
"In the coming year, CISOs and other security professionals will be required to justify and, in many cases, potentially reduce their expenditures," predicts Neil MacDonald, a vice-president at Gartner. Yet, he adds, security expectations will not be lowered, but will actually become "significantly higher".
Use the opportunity
Whatever happens to the economy, it seems that CISOs should at least be prepared for the worst. In the event that security budgets are affected by broader economic unrest, how can information security professionals hope to meet the conflicting demands of fiscal prudence and high performance? Or, in the industry's parlance, how can they "do more with less"?
For a start, it's important not to panic. After all, as MacDonald points out, stable or growing security budgets don't always result in better information security in any case. "Even in the same industry, security spending varies widely, as does the efficiency and cost-effectiveness of that spending. The enterprises that spend the most on security are often the least effective and least efficient," he claims. MacDonald advises security managers to "take advantage of the disruptions caused by budget cuts to force changes in outdated approaches to security".
A first step might involve passing a more critical eye over their expenditure over the past few years, suggests Paul Simmonds, who recently stood down as global information security officer at chemicals giant ICI. "Plenty of organisations out there are sitting on a stack of 'shelfware' - security applications they've bought but never used," he points out. "Nor are they using the full capabilities of the products they have implemented."
That suggests that a thorough audit of IT security assets may be called for, if one hasn't been conducted recently. "Your security strategy is always worth revisiting on a regular basis, but especially when times are hard. Your business will thank you for it," advises Simmonds.
This kind of audit will often provide clues as to where efficiency savings might be made, by helping to identify where functional duplicates exist in the in-house security tools portfolio.
Next, they should look to automate routine security tasks, according to Brian Contos, chief security officer at ArcSight. "Many organisations focus less on strategic initiatives and more on simple, tactical fire-fighting," he says. "To address this, there will be an increasing need for automation around log collection and analysis. Also, tools will be needed that can reduce data loads - for example by reducing false positives and correlating multiple disparate event sources - and tools that combine compliance and security initiatives into a common technical solution."
And it's certainly time to take advantage of the industry trend towards platforms comprising multiple types of security protection as opposed to multiple "point" solutions, says Gartner's MacDonald. "It often makes sense to take advantage of an installed security platform that is already providing other types of protection, even if its vendor does not provide best-of-breed protection for every threat. "Best-of-need" solutions sometimes offer significant compensating benefits, including improved manageability, fewer agents and consoles, and an overall reduction in complexity and associated cost," he points out.
His team estimates that by 2010 only 10 per cent of emerging security threats will require tactical point solutions, compared with 80 per cent in 2005. "Many enterprises should consider endpoint protection platforms (EPPs), which include anti-virus, anti-spyware, personal firewall and host intrusion prevention capabilities - and most vendors are providing no-cost upgrades to their EPP offerings," he says.
Offloading the burden
Another option is to outsource routine IT security tasks that are sapping in-house time and resources, says Stuart Okin, UK head of security at consultancy Accenture. "A customer recently told me how they were working on a massive firewall consolidation exercise, and all I could think was 'Why are you doing all this in the City of London, where salary costs are sky-high? You've got hundreds of firewalls and thousands of rules to impose in order to meet your internal compliance obligations. Why not take the savings you'd make by offshoring and use them elsewhere in your security strategy?'"
MacDonald agrees. Many mature security functions, he claims, can be handled by less costly in-house IT operations (where salaries are generally lower than those paid to information security professionals) or outsourced to managed security service providers "Desktop anti-virus technologies and EPPs should be managed by the desktop operations organisation, and functions such as firewall and log monitoring are strong candidates for outsourcing," he adds. In fact, he estimates that three quarters of enterprises might improve security and cut costs by outsourcing repetitive security functions to a third-party provider.
Customers should also be demanding more protection "in the cloud" from their network service and internet service providers, he says. "Many internet threats, including denial-of-service attacks and most worm attacks, could - and should - be stopped at the point where they enter the internet," he says.
However, this type of protection is expensive and requires cooperation by players at the various tiers of service, he admits. Consequently, MacDonald argues, service providers must have a strong motive for delivering stronger security, which customers should provide by building security into service level agreements.
"An enterprise should, for example, refuse to pay for 100Mb per second of internet connectivity when it has to receive and then discard 30Mb per second worth of viruses, spam, phishing attacks and worms embedded in the traffic stream. This unwanted traffic should be filtered out before ever reaching the enterprise," he insists.
Change of focus
The Jericho Forum, a membership body for senior IT security officers, strongly endorses the concept of "deperimiterisation" - defined as building security systems that will enable them to cope securely with users that don't sit inside the company firewall on a well-managed private network.
Its members claim that a new approach is needed - one focused less on defending the network and more on protecting data in a more effective and cost-efficient way. With that in mind, it recently unveiled its collaboration-oriented architecture (COA) at the RSA show in San Francisco and at Infosecurity in London. COA is a set of guidelines for building security systems that will allow them to cope with users that don't sit inside the company perimeter on a well-managed private network.
"We believe that the current economic climate is the perfect opportunity for companies to start exploring COA, which offers better security at a reduced cost," says Jericho Forum member Adrian Seccombe, CISO at pharmaceutical company Eli Lilly.
Never drop your guard
Whatever the fate of IT security budgets over the coming year, CISOs must not allow cost constraints to distract them from the more important task of round-the-clock vigilance, says Contos of Arcsight. Their systems, he says, may be even more vulnerable to attack than usual in a period of economic recession.
"In general, when people become disillusioned with the state of the economy or suffer a financial crisis, it increases the likelihood of malicious acts. Individuals may be more tempted to try to turn corporate information - be it personal details, financial data, internal R&D reports or strategic business plans - into cash by selling it in underground black markets or to competitors," he says.
Or as Okin of Accenture puts it: "This is no time to take your eye off the ball." After all, the threat of increased risk might be enough to convince board members that any attempt to make cutbacks on security staff and technology would be short-sighted at best and perilous at worst.
VIEW FROM THE FRONTLINE
Economic downturn or no economic downturn, any chief information security officer who isn't actively looking to slash inefficient security spending "should be thinking about a change of career right now". That's the forthright view of Adrian Seccombe, CISO at pharmaceutical company Eli Lilly.
He regularly faces difficult decisions when it comes to allocating the company's security budget as it rapidly embraces more collaborative ways of working with suppliers, partners and customers. And as a member of the Jericho Forum, he's chosen to back the body's collaborative-oriented Architecture (COA) for security, a framework of design principles that promise to enable firms to cost-effectively build "deperimiterised" security systems in a world where the traditional borders between the organisation and its key trading partners have crumbled.
COA, Seccombe claims, is enabling companies to reduce their IT security costs by assigning different levels of risk to data, rather than applying a blanket security policy across all types of information.
"The vast amount of data organisations hold is of low value, and we're taking too much time securing all of it, when we need only secure the layers that are actually of value to criminals," he says. "We don't need to encrypt meeting minutes, restaurant menus and much of the rubbish data that's being overly protected today."
But security savings can be found everywhere in organisations and Seccombe is adept at identifying them. Take, for example, his tip for reducing laptop security costs: "If you tell the keeper of that laptop that it will be theirs at the end of three years, you'll immediately see less damage, fewer drops and better rates of patching," he says.
The news from the markets suggests that it is too early to tell how uncertain economic conditions worldwide will impact IT spending patterns. In fact, according to research conducted in March by IT market research firm Gartner, that fear of a downturn has hardly made a dent in budgets so far.
Gartner's researchers found that European IT budgets remained at the previously forecast growth rate of 3.1 per cent during the first quarter of 2008, while growth in spending slipped only slightly to 2.3 per cent.
And companies making early budget reductions may simply be playing safe at the start of the financial year, says Mark McDonald, head of research for Gartner executive programmes. "The first quarter should be the toughest in terms of budget changes as executives are cautious at the start of the year," he says.
One in three CIOs have put a contingency plan in place to prepare for a potential future shift in budget, he adds; but only half of these expect to use them.
And when it comes to estimating spending on security, analysts at rival researcher IDC are postively bullish. They claimed in late April that IT security would be the one area of the industry that would largely escape the effects of the global economic downturn.
They expect spending across 16 European countries on security hardware, software and services will increase this year to EUR12.5 billion (£10 billion), up 17.3 per cent from 2007. But they also cautioned that this growth rate would decline slightly over the next four years, to 11.8 per cent by 2012.
"Western European countries are still facing major security gaps in identity and access management, threat mitigation and compliance solutions," said Eric Domage, manager for Western European security research and consulting at IDC. And they were "likely to want to safeguard data, information systems and intellectual property more closely in the face of more fierce competition as a result of tougher economic times", he added.