You're continuously balancing the need to safeguard data with efficient information access. It means exhaustively researching products that are best suited for your particular operations. It means training everyone about their responsibilities. It means following up with network monitoring and refresher classes.
Pescatore says the typical enterprise is spending 6 percent to 7 percent of the IT budget on security, not counting business continuity or disaster recovery expenses. That's equal to about .4 percent of revenue. (While it may not be the best comparison, he says, typical retailers spend 1.5 percent of revenue to keep shrinkage, or losses due to theft, stable at that 1.5 percent mark.)
Can I safely cut my security budget?
Surprisingly, yes, it's possible. Two ways come to mind: Always know your systems, and spend wisely.
First, find your vulnerabilities before your enemy does. Think of your organization as an onion. Every layer, all the way down to the core--which might be individuals and their contact with the outside world--can have vulnerabilities. Each vulnerability has to be identified and resolved.
Gartner security analyst John Pescatore recalls one organization that reduced its security budget and even support spending by consolidating its many Microsoft Windows images, or versions of Windows, to just two or three.
This strategy is almost always going to be less expensive and more effective than buying an application that merely tries to shield or ameliorate vulnerabilities.
Assuming you've analyzed your systems (and that you do it regularly), look at your buying strategy. Like those companies with numerous Windows images, many are freckled with point products. They are not coordinated, some are outdated and others are outright redundant.
Instead, think in terms of platforms for discrete functions. Replace a hodgepodge of products with, for example, an e-mail security platform, a Web security platform, and a wireless security platform.
How do I get the CEO to buy into on my strategy?
First, says Jonathan Penn, a security analyst and vice president with Forrester Research, realize that "you can't convince people about security priorities." A lot of times, it's an emotionally charged issue. "You can only educate them," he says. Tell them about precautions that your competitor or industry is taking, for example.
And don't assume that savings will win you quick approval. It's counterintuitive to think spending less could deter threats. Just be ready to show in detail how your strategy--whatever the cost--covers you for known threats and creates a foundation on which you can mount an immediate defense against as-yet unknown vulnerabilities.
I'm looking long-term. My systems are platform-based. My security stance mirrors the threats. Do I still need to focus down to the individual packet level?
Sign up for CIO Asia eNewsletters.