Many predict 2009 will produce the tightest economic conditions in decades. The subprime meltdown, tight credit markets and recession conditions will mean most CIOs will feel the downward spiral of the economy right where it hurts -- in their IT budgets.
Unfortunately, this also coincides with the most serious threat environment security professionals have faced. Hackers tactics are becoming more targeted. The increase in the number and business importance of web applications is generating additional enterprise risk. Budgets may get tight, but your responsibility remains the same: minimize risk.
Its a tall order in the face of possible spending cutbacks, but because budgets are tight, you have to be focused on how to best reduce risk, and it definitely doesnt mean less attention on security. In fact, at times like these, that may be the biggest mistake. The highest levels of an organization are asking their CIOs how do we know were secure? The only way you will know that is by understanding the risks, better understanding the ROI, and how it fits into not only your other IT priorities, but also adds to the companys bottom line. Defending the security budget is always a challenge, but here are four approaches that can help.
1. Metrics make the most compelling argument. Ask yourself this question: Is your security risk going up or down over time and what is impacting it? This is baseline data that every organization needs and should be on track to monitor. If you cannot answer this clearly, realign your projects and priorities to make sure you can get this information on an ongoing basis. Every CIO should know at least three things: how vulnerable are my systems, how safely configured are my systems, and are we prioritizing the security of the highest value assets to the business? Though security metrics are in the early days of development and adoption, the industry is maturing and solid measurements are available. These areas can be assessed and assigned an objective numeric score, allowing you to set your companys own risk tolerance and use that to make critical decisions about where to allocate funds. As you face increased budget scrutiny, the metrics allow you to identify and defend as necessary-- where your security priorities are, and how security and risk fit into overall ROI.
2. Compare your baseline to others in your industry. The guarded nature of security data means CIOs trying to access this type of information will have to get creative. A good place to start is the Center for Internet Security -- their consensus baseline configurations can be used as a jumping off point to identify areas of risk. Vertical industry benchmarks will be an evolving area, and another source may be what you can learn from your personal relationships. Seek out others within your industry and find out what metrics they are using and what they are spending as a percentage of their IT budget. Risk tolerance is specific to each organization, but there are similarities within industries that could prove to be helpful.
Sign up for CIO Asia eNewsletters.