October 28, 2008, 3:51 PM — Whether you believe we are in or about to enter a recession, IT budgets are certainly tightening up for 2009.
In a climate of uncertainty, CIOs are asking for across the board budget "constraint" until the uncertainty clears. Perhaps spending on operations is not being cut, but capital projects are being postponed unless they have clear and short-term return on investment. Even then it may be difficult to get the initial investment approved. So in this environment, what happens to security budgets?
Security spending has been increasing for most of the past decade. Our research has seen security budgets increase from about 2% to about 8% of IT budgets. With sustained investment in security we have also seen a correlation in reported success. Companies that have consistently invested more than 5% of the IT budget in security report fewer challenges with malware, security breaches and identity theft. Sustained investment in the technology, people and process leads to increased security. In a time of constrained budgets, this type of sustained investment can carry a company through a period of cutbacks. Having developed operational processes and trained security and risk management professionals, companies can reduce capital-intensive projects and sustain consistent levels of security for a short period of time. Of course, at some point capital investments have to resume or companies will fall behind the technology adoption curve and find themselves scrambling to catch up.
For companies that have not invested in security at a sustained level above 5% of IT budgets, scrambling to catch up is the norm. As budgets tighten it will get harder and harder to keep up with the new threats. Even so, there are ways to sustain security with less spending:
-- Focus on training and awareness. Organize weekly or monthly security awareness seminars, post security awareness posters, print a security tips brochure. Training not only reduces unintentional employee security lapses but may also increase early notice of problems by increasing employee awareness and vigilance.
-- Renegotiate license contracts. If you're hurting, so are the sales teams of security vendors. Now is the time to negotiate a better volume license. Shop around with competitors of your incumbent vendor and ask them to offer pricing that will cover the cost of transition. Then turn that around as leverage with your incumbent vendors. Ask for a discount for higher volumes or ask them to throw in one year's maintenance for free. We've seen vendors willing to do all of the above.
-- Investigate open source. There are many robust and sophisticated open source security solutions. If you have the skills to test, deploy and maintain these with community support they're worth checking out. You can find good solutions in vulnerability analysis, monitoring, IDP, firewalls, directory and identity management, etc. Many of these solutions are also available as virtual appliances that are easy to test and install.
Use your skills and acumen to find solutions that are cost effective and make the best use of your existing investments in technology, people and process. Get your employees to help you improve security through training and awareness. In difficult economic times, good security professionals not only survive, they thrive.
