In-Depth

Standing Firm on Security Spending

Why now is not the time to cut security budgets.

By Simone Seth

The world as we knew it has changed. Over the past six months, the global financial crisis and market collapse have led to the downfall of some of our best known and respected organizations -- changing the landscape of the free market economy forever.

Organizations that have survived the credit crunch so far are looking to learn lessons from these recent experiences and work out strategies to ensure that they maintain profitability during the challenging months (and maybe years) ahead. Inevitably, one of the topics at the top of boardroom agendas is how to cut costs.

When examining where to cut budgets, organizations often look first at non-revenue-generating functions. One of these areas is information security.

This is a short-sighted strategy. Today’s uncertain business environment means that corporations and their security professionals need to be even more focused. Now is the time to strengthen security rather than reduce it, which would simply expose businesses and all of us to increased risk and exploitation.

Risk and Reward

Organizations need to re-examine the risk as well as the value added by information security especially when lay-offs, mergers, and divestitures are commonplace. In particular, they need to remain vigilant when reducing their workforce.

While a company may have sophisticated software applications in place to manage identities, failure to follow a timely process to hire and terminate employees may result in leaving back doors open to disgruntled ex-staff.

If authorized access to data is not terminated as soon as individuals lose their jobs, sensitive and confidential data can be put at risk and can lead to a breakdown in an organization’s control framework. Experienced security professionals have long highlighted this vulnerability to senior management and HR departments but unprecedented events in the business world will focus their minds and lead to change.

The last decade has seen organizations leveraging third parties to provide crucial services more than ever before. As organizations merge or divest businesses, special attention needs to be paid to these third-party relationships. Access to critical data, much of it governed by compliance requirements, needs to be controlled diligently. A control framework needs to be chosen and used consistently throughout the organization and its third-party partners. Senior leadership also must ensure that information security professionals are invited to the boardroom table when discussing divestitures and acquisitions so that the correct strategies are in place from the beginning to safeguard data and prevent gaps in protection being inadvertently or carelessly neglected.

Another threat compounded by the current financial climate and the resulting confusion and disruption to business operations is the shift to targeted and organized, profit-driven attacks that are replacing random individual hacker attacks. This new breed of attack, designed to steal valuable and sensitive information or customer data for major financial gain is being orchestrated by criminal networks that bring together specialist skills and expertise. Many even place sleepers within organizations to provide inside knowledge and access.

It’s not dissimilar to the process of robbing a bank. The difference is that this cybercrime is more sophisticated and harder to trace. Most attacks are able to circumvent generic security controls, while anti-forensic techniques are used to remove traces such as deleting system logs and advanced attack kits such as Limbo 2 Trojan which are even available online with non-detection warranties. It’s not surprising that cybercrime is the fastest growing type of crime and considered by the U.S. Treasury to have exceeded the profits from illicit drug sales.

Making Savings

While it is clear that cutting information security budgets is unwise, there are ways to save money. One way organizations can realize cost savings is by recycling and reusing existing tools and services and avoiding the vendor hype associated with security. Vendors have created a lot of fear, uncertainty and doubt by claiming that organizations are not secure without their latest products. Organizations need to examine carefully what they have in place and look at how their security measures can be leveraged before making decisions about spending precious budget dollars. Targeted and focused spending is the way to go in 2009.

Information security controls, if implemented correctly and consistently, ensure the validity of financial records and satisfy authorities concerned with compliance with regulations. Leveraging security staff especially in these challenging times will reassure regulators and end customers of the ability to adapt to changing environments and operating models.

This is no time to reduce security budgets -- that is the message security practitioners need to take to their leadership teams!

Simone Seth is an industry analyst for the Information Security Forum, a not-for-profit association of 300 leading international companies and organizations. ISF funds and cooperates in the development of practical, business-driven solutions to information security and risk management problems. More information is available at http://www.securityforum.org. You can contact the author at simone.seth@securityforum.org.

Must Read Articles