How to Defend Security amid Budget Tightening: Four Approaches

Tag : continuous spark
The biggest threat to a company's security might not be hackers andthieves, but its own budgetary process. nCircle Vice PresidentElizabeth Ireland explains how to address that tough hurdle.


Many predict that 2008 will produce the tightest economicconditions since the dot-com bust at the beginning of the decade.The subprime meltdown and tightening credit markets mean most CIOswill feel the downward spiral of the economy right where ithurtsin their budgets.
Unfortunately, this also coincides with the most serious threatenvironment security professionals have yet faced. Hackers' tacticsare becoming more targeted. Web applications are increasing innumber and business importance, generating additional enterpriserisk. Budgets may get tight, but the CIO's responsibility remainsthe same: focusing on how best to minimize risk.
Tighter budgets don't equal less attention for security. In fact,at times like these, that may be the biggest mistake. The highestlevels of an organization are asking their CIOs, "How do weknow we're secure?" The only way to know is by understandingthe risks, the return on investment and how security not only fitsinto your other IT priorities but also adds to the company's bottomline. Defending the security budget is always a challenge, but hereare four approaches that can help.
1. Metrics make the most compelling argument. Is your security risk going up or down over time and what isaffecting it? This is baseline data that every organization needsand should monitor. If you cannot answer this clearly, realign yourprojects and priorities to make sure you can get this informationon an ongoing basis. Every CIO should know at least three things:How vulnerable are my systems, how safely configured are my systemsand are we prioritizing the security of the highest value assets tothe business? Though security metrics are in the early days ofdevelopment and adoption, the industry is maturing and solidmeasurements are available. These areas can be assessed andassigned an objective numeric score, allowing you to set yourcompany's own risk tolerance and use that to make criticaldecisions about where to allocate funds. As you face increasedbudget scrutiny, the metrics allow you to identifyand defend asnecessarywhere your security priorities are, and how security andrisk fit into overall ROI.
2. Compare your baseline to others in your industry. The guarded nature of security data means CIOs trying to accessthis type of information will have to get creative. A good place tostart is the Center for Internet Securityits consensus baselineconfigurations can be used as a jumping-off point to identify areasof risk. Vertical industry benchmarks are an evolving area, andanother source may be what you can learn from your personalrelationships. Seek out others within your industry and find outwhat metrics they are using and what percentage of their IT budgetsthey are spending. Risk tolerance is specific to each organization,but there are similarities within industries that could provehelpful.
3. Learn from other areas in your company. Look to process-oriented disciplines as a proxy for the type ofevolution facing securitynetwork operations can be a good example.In the early days, the only scrutiny came if things weren't workingcorrectly. Over the years it has matured to a level of operationalmetrics for uptime and performance, embedded in quarterly andannual performance goals. These metrics allow a continuous cycle ofperformance, measurement and improvement. In addition, networkoperations can provide an important lesson about single-solutioneconomies of scale. Find solutions that work across your entireenterprisethis is the only way to get economies of scale inimplementation and ensure that you get the critical, enterprisewiderisk metrics you need.
4. Take steps to automate your compliance process. Are you compliant and can you routinely deliver the reports thatauditors request? The economic benefits that come from doing thiscorrectly are significant. Audit costs are directly related to howcomplicated it is to audit and prove the integrity of a businessprocess, so finding a way to save the auditors' time is one of thesingle biggest opportunities to drive down costs. Even though youraudit costs may be hitting the finance area's budget, meet withtheir team to understand what audits are costing you, and how theright kind of automation could lessen them. There will alsocertainly be time and resource savings for the security team. Thereisn't an exact recipe for compliance automation, so talk to yourauditors, look at your environment and begin the discovery of howmuch time is spent preparing for and reacting to audits. If you'rea company that allows your divisions to individually automate, it'stime to think about taking those principles enterprisewide.
Regardless of budget conditions, you will still have to decidewhich projects have the biggest impact on the business. The threatenvironment requires that you make the absolute best decisions withyour available budget by investing in the right places and gettingbetter use of your resources. Lastly, remember that times ofdifficulty are often times of opportunity. Lessons learned now inthe face of tighter budgets can spark valuable models of efficiencyand progress for the future.
Elizabeth Ireland is a vice president for nCircle Network Security,a leading provider of agentless security risk and compliancemanagement solutions. Ms. Ireland previously held senior management positions at Extensity andMapInfo and is a former CPA with Ernst & Young with financialand computer audit experience. She holds a BA in BusinessAdministration, Accounting from the University of South Carolina . She can be reached at eireland@ncircle.com .