Leslie Lambert, vice president and chief information security officer at Sun Microsystems Inc., returned from a three-week business trip to India with a few souvenirs and a whole new set of IT security priorities for 2009.
India is home to 29 of Sun's 250 managed services providers. Economic troubles there have made it harder for those providers to build out their data centers, so they're procuring services from other providers around the globe.
"I'm going to be shifting focus," Lambert says. In 2009, projects like server security, metrics, application security and Web security will likely take a back seat to new data-protection measures and deeper enhancement of user-access and identity management systems. "Those are the big hitters now," she adds. In a steadier economy, all of the projects would likely have gone ahead, she says.
Indeed, security remains a top priority for all companies -- with antivirus, encryption and identity management topping the list for Computerworld 's Forecast survey respondents. But with economic uncertainty overshadowing most IT budgets, managers will have to pick and choose the projects that are most important.
The U.S. Tennis Association (USTA) is a prime example. The organization generates 85% of its revenue in just two weeks in late summer during the U.S. Open tennis tournament, and with so much riding on one event, the IT staff can't afford any security snafus. So when CIO Larry Bonfante decided the USTA would need to upgrade its network access control system to protect the network from contaminants brought in by 800 media members using its Web site, the project got a green light, despite a flat budget.
"Anything that can impact revenue, the fan or customer experience, or the game of tennis is considered business-critical," Bonfante says. Still, "all projects are certainly under significant scrutiny to make sure there's a tangible return on investment before we get funding for them. Security projects are no different in that regard."
Law firm Nexsen Pruet LLC plans to overhaul its intranet in 2009. Among other things, the upgrade will enable the system to grant users access to financials and reports according to their security levels. Despite the tough economy, the project will move forward, but at a slower pace than originally planned. "Increasing overall organizational efficiency and productivity sometimes means increasing spending for technology infrastructure and key applications," says Technology Director John E.C. Davis.
Keeping your guard up
Projects that "keep the bad guys out" are usually the most recession-proof, says John Pescatore, an analyst at Gartner Inc. But spending for projects that "let the good guys in" is often tied to business cycles. "If there's a new business project to open up new services and products, there's a lot of security spending in identity and access management," says Pescatore. "But in 2009, that's probably the area we'll see get hit," creating a growing potential for security leaks.
Worst-case scenario: Companies could stop allowing employees to use their home PCs, laptops or iPhones for business use if identity and access management systems aren't in place. But Pescatore says that's not likely, again because of the economy.
"Some will reverse the privilege," most likely in government and financial sectors, he says. "But the majority of companies may say, 'If you use your home PC, we don't have to buy you one, and that will save us money.'" Some businesses might even consider letting workers use their own software, such as Google Apps.
"In businesses that are really under cost pressure, they may be very tempted to take the security risk to use these cheaper consumer alternatives," Pescatore adds.
The financial meltdown may also spark more regulations to address financial wrongdoing this year, which could in turn drive spending on reporting tools. While the new regulations may affect only financial firms, as opposed to every publicly traded company, "there may be a push for new risk reporting directly to the government," Pescatore says.
In the meantime, companies in many industries will be working to comply with legal and regulatory mandates that protect private, sensitive information.
For instance, utilities have mandates from several regulatory bodies requiring them to secure SCADA -- supervisory control and data acquisition -- systems and industrial control tools that monitor processes. In the financial services sector, smaller banks are moving toward dual authentication to meet FDIC, Federal Financial Institutions Examination Council and Basell II standards. And retailers must meet payment-card industry requirements.
"Information security is non-negotiable for these organizations," says Jeff Bernstein, senior director of information assurance at Asero Worldwide Inc. in Washington. "For IT purchases such as hardware and software, there will probably be some suffering. But meeting internal and external security requirements" won't be compromised, he adds.
Industry-watchers worry that postponing some IT security projects could lead to risky business behaviors -- especially with pesky new botnets infecting the most secure enterprises. "If I don't look for [malware], I'm not going to incur the expense of doing anything about them," Pescatore says.
The Procter & Gamble Co. has invested heavily in IT security, yet in 2007 it found that 4% of its PCs were compromised by botnets, according to a Gartner case study. To fix the problem, P&G had to reimage most of the 3,000 PCs -- an expensive task.
But dealing with a breach is more expensive than preventing one, Pescatore says. An incident where information on 100,000 customers is exposed typically costs an enterprise $10 million to $15 million to fix, excluding damage to the brand name. But preventing a data leak costs $3 million to $5 million.
And with layoffs looming in all sectors, Gartner expects more companies to consider outsourcing some security functions. Also expect companies to turn to "security as a service" to help reduce software, management and maintenance costs and lower in-house power and cooling costs.
"Over five years, it may cost you more," Pescatore says, "but in 2009, it will cost you less."
This story, "The security imperative" was originally published by Computerworld.