Can you cut information security in hard times and survive?

Companies that don't have the money to pay for full disk encryption might want to look at TrueCrypt, another open-source project. Because it lacks centralized management capabilities, TrueCrypt is "not going to be appropriate for every environment," says Morey Straus, an information security officer with the New Hampshire Higher Education Assistance Foundation, but it does work for some.

Outsourcing security to the cloud
For cash-strapped organizations, moving security processes out of the house can be a money-saver. "Look to the cloud computing services to replace some [security products]," Straus recommends.

Forrester Research reports that 28 percent of companies that move to in-the-cloud managed security services do so to cut costs. Although e-mail and Web filtering are the most popular managed security services today, Forrester projects that more businesses will move to the cloud for vulnerability assessment and event monitoring as well.

Using brainpower instead of buying tools
But for companies that want to improve their security posture without spending money, taking the time to promote an information security awareness program can pay off big-time, according to Straus. "That's just one of the easiest, most effective things you can do and it costs very little."

Straus says he did this in two phases at his organization, a student loan provider. First, he started with a mass presentation outlining good security practices for his users. He then followed up with departmental meetings, which he described as more of a two-way discussion. "I'm able to get the employees to share with me some of the risks and possible pitfalls," he said. "Those meetings are very beneficial."

Analysts say that cutting down on manual processes is one way that smart companies can reduce costs and refocus staff resources.

It wasn't budget constraints that pushed the U.S. Navy to do something in this area, but the sheer volume of data that caused the Navy to move from manually handling intrusion-detection system alerts to a more automated system, called Prometheus.

As the Navy expanded sensor coverage and the amount of activity on the network spiked in recent years, manual monitoring became impossible, said Jim Granger, director of capabilities of readiness with the Navy Cyber Defense operation command in Norfolk, Virginia. "All of that just contributed to more information, and that contributed to sensor overload," he said. "We figured that if our watch team did nothing but clear alarms … these guys would be able to spend an average of about 4.5 seconds per alarm."

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine