With the ailing economy putting a crimp in IT budgets, information security managers -- like just about everyone else in the tech world -- are feeling pressure to keep their costs in line.
Few expect to be hit with outright budget reductions, at least in the short term; regulatory requirements and the ever-expanding list of external and internal threats make it hard to devote less money to security efforts. But there is a growing push to curb or defer spending increases, according to IT managers and security analysts.
"It's imperative to squeeze every penny of value out of everything you do," said Jim Kirby, senior network engineer at DataWare Services, an IT services firm in Sioux Falls, S.D. This is a good time to stop working on "marginal" projects and redirect resources to security capabilities that are absolutely necessary, Kirby said.
Matt Kesner, chief technology officer at Fenwick & West LLP in San Francisco, said the law firm's security strategy for next year is to "focus on basics." Its 2009 IT budget doesn't call for reduced spending on security -- but neither does it include a funding increase.
And Fenwick & West is taking some steps to cut costs. The firm is deferring an earlier plan to hire a full-time networking and security expert because of the recession, Kesner said. It is also looking for opportunities to use open-source alternatives to some of its security tools.
One of the few new IT projects approved for next year is a replacement of the antivirus software installed on all of the law firm's PCs -- an upgrade that Kesner said is being driven by the increased threats to corporate data from malware and phishing attacks. Fenwick & West also plans to train end users more intensively on how to secure their PCs and mobile devices, and on the importance of creating strong passwords.
Even in an economy gone sour, a growing number of government and industry regulations impose security compliance costs that there is simply no getting away from. For instance, new data-protection laws in states such as Massachusetts, Connecticut and Nevada require companies to use data encryption tools and implement other security controls to safeguard the personal information of state residents.
Similarly, the Payment Card Industry Data Security Standard, created by the major credit card companies, requires all businesses that accept credit and debit transactions to adopt a broad set of data protection controls. And the federal HIPAA law includes data security and privacy rules for health care providers in order to protect patient information.
Meanwhile, cybercrooks are targeting companies with increasingly sophisticated -- and successful -- attacks. For example, Symantec Corp. said in a report last month that at least $1.7 billion worth of bank accounts were compromised in the U.S. during the 12-month period that started in July 2007.
In light of all that, not making cutbacks in antivirus subscriptions and purchases of frontline security tools such as firewalls and network intrusion-detection systems is a no-brainer, security managers said.
Kirby said investments in outbound-traffic inspection tools and controls for locking down portable media devices also are worthwhile because of the heightened risk of insider attacks at a time of increased layoffs. In addition, he thinks that cutting back on disaster recovery and business continuity projects wouldn't be wise.
Whittling away at risk management and compliance oversight functions is another bad idea, said the chief privacy officer (CPO) at a large financial services firm. That could leave companies facing potentially serious consequences for not complying with security requirements, he said.
What to Cut
But there are other areas in which IT and security managers may be able ease up on spending. Kirby said that although intrusion-detection systems are a must-have item, many companies can live without intrusion-prevention tools, which are more sophisticated but also more expensive and harder to manage. He added that biometric security projects can often be postponed.
Paring back on third-party security education and training programs can also yield some extra dollars that can be used for other purposes, said the CPO, who asked not to be identified. "Companies have a lot of vendor-hosted or vendor-provided education programs -- kind of, 'Here's how you do data security if you're covered by HIPAA or by PCI,' " he said. According to the CPO, the cost of individual programs can sometimes top $200,000 annually, depending on the number of employees being trained.
Marcin Czabanski, director of IT at LifeSecure Insurance Co. in Brighton, Mich., said companies should also look for ways to move applications -- and their security functions -- into the computing clouds offered by vendors such as Google , Microsoft and Amazon.com.
By doing so, Czabanski said, "you can outsource a lot of the headache" of managing and securing desktop applications -- and do so for less money than keeping the work in-house.
E-mail is another application that can move to the cloud. The Henssler Financial Group in Kennesaw, Ga., is a user of Google's Postini e-mail security and archiving services. Tim O'Pry, Henssler's chief technology officer, said the arrangement has enabled the financial services firm to offload to Google the hassle and expense of securing its e-mail system.
In addition, using the hosted services has "dramatically" reduced Henssler's e-mail archiving costs while making it easier for employees to search for and retrieve old messages, O'Pry said.
Moving e-mail to a cloud infrastructure such as Google's can also help organizations lower the costs of complying with e-discovery rules in legal cases, said David Jordan, chief information security officer for Virginia's Arlington County.
For instance, Google earlier this year launched a Postini service called Message Discovery that is designed to help businesses comply with e-mail retention regulations and speed up the process of retrieving messages in response to lawsuits or other legal matters. Such setups can also help customers trim their e-mail hardware, software, management and security costs, Jordan said.
Another possible cost-saving option, he noted, is deploying virtualization and thin-client technologies that let employees access a set of centralized applications. Jordan said he thinks that thin-client architectures are inherently more secure -- and thus less costly to manage and control -- than traditional client/server computing models.
Any cutbacks should be carefully weighed, though.
Phil Hochmuth, an analyst at Yankee Group Research Inc., said it's understandable that companies might want to rein in their security spending (see related story, at left). But on a longer-term basis, "it would probably be a mistake if they backed off strategic initiatives" just to cut costs now, Hochmuth said.
O'Pry agreed. "Trying to scrimp and save on security in this economy would be a penny-wise, pound-foolish thing to do," he said. O'Pry noted that as a financial services firm, Henssler is "affected more than anyone else" by the downturn. Even so, there's little talk within the company about cutting security spending. "Your most valuable nontangible asset is your reputation," O'Pry said. "You can't risk taking any hits to that."
This story, "What can you afford NOT to do on IT security?" was originally published by Computerworld.