Security budget: Dollars and sense
Despite dwindling budgets, some IT departments are finding ways to become more efficient and secure, reports Angela Moscaritolo.
Layoffs, stalled projects and pay cuts... While these are touchy topics for any business, they have become a reality for most organizations due to the slashed budgets that often come with a global recession.
Most IT departments have experienced a degree of budget reduction this year and are now forced to do more with less. In some cases, projects have been halted and, in others, employees laid off. Currently in the midst of budgeting for 2010, many IT departments are finding that allocations for next year are looking grimmer. But, while IT budgets are decreasing, IT security budgets are holding steady. And some businesses are finding that reduced budgets have forced them to rethink the way security is sustained.
The city of Honolulu's IT department has the same budget now as it did four years ago, says Gordon Bruce (left), the city's CIO. A hiring freeze is in effect and directors have agreed to take a five percent pay cut for the upcoming year. In addition, the IT budget for 2010 will likely be even lower, Bruce says.
It's a similar story in Michigan, where the state's IT budget decreased four to five percent from fiscal year 2008 to 2009, says Dan Lohrmann, the state's CTO. In recent months, the IT department was told to freeze spending. It was also announced that workers would need to take furlough days. In addition, the IT department had a 25 percent decrease in allowed overtime – which could make it difficult if a forensic investigation is needed or a virus outbreak occurs, he says.
As in Honolulu, Michigan's 2010 IT budget will likely decrease further. As of May, local newspapers reported eight percent decreases. Lohrmann says that there have not been any layoffs as yet, but come fall, there may have to be.
The true impact of the global recession on budgets wasn't realized by most IT departments until January, says Greg Bell (right), a principal and global services leader of information protection and business resilience at KPMG. Last year, when 2009 budget allocations were being planned, most IT executives submitted budgets during the normal cycle between May and June and got tentative approval in September. So, during the latter part of 2008, executives thought they had pretty stable budgets for 2009, even experiencing likely increases over 2008. Then, the financial situation deteriorated. That surprise didn't sink in until earlier this year, when IT departments had to take a closer look at priorities and recast their budgets, Bell says.
This is what happened to the IT department at the Technical College System of Georgia (TCSG), a network of tech schools. Its 2009 IT budget is 10 percent lower than 2008, says Steven Ferguson (left), TCSG's senior network engineer. The IT department saw half of its budget cut last October. Then in February, it was told an additional decrease was needed, Ferguson says. Last year, companies were beginning to feel the effects of a dwindling economy, but IT security budgets, for the most part, were expanding or remaining fixed, as reported in the July 2008 SC Magazine Salary and Career Survey, conducted with research firm Millward Brown.
Not surprisingly, surveys this year have indicated that general IT budgets are either decreasing or remaining steady. In one recent study conducted by VanDyke Software and Amplitude Research, 41 percent of respondents said their company's overall IT budget has decreased – compared to 18 percent who responded last year and said their budgets had decreased. Some 21.2 percent saw their IT security budget slashed by more than 10 percent. Additionally, of the 320 network and system administrators surveyed nationwide in late April, nearly half said they believed their organizations had not sufficiently budgeted to support their current information security needs. On top of this, over a quarter of the respondents (27 percent) said that their companies have canceled IT security projects this year as a result of a perceived poor economy.
Despite the financial crisis, companies are still allocating money for IT security efforts while overall IT spending is less of a priority, concluded a study released in April by MetroSITE Group and Pacific Crest Securities. The survey of 53 security professionals found respondents were more optimistic about security spending than general IT spending.
That may be due to the fact that information security is one of the areas within IT that's increasingly being seen as an essential business need driven by compliance mandates, says KPMG's Bell.
As well, CEOs realize that they need to keep spending on security because of viral outbreaks, such as Conficker, and there's no shortage of headlines about data breaches, says John Pescatore, vice president and research director at Gartner.
One of the key factors in funding projects is the ability to measure return on investment (ROI) in six to 12 months, rather than the traditional 24 to 36 months. The focus is on a short-term payback, even when a particular product may have a greater ROI in the long run, says Bell.
Security products that are still being purchased include those that Gartner's Pescatore categorizes as "keeping the bad guys out," which includes firewalls, intrusion prevention, anti-virus and vulnerability assessment products. Products that he puts into the "lets the good guys in" category – including identity and access management, single sign-on and user provisioning tools – are still seeing growth, but are not showing the same strength.
In these tough economic times, deals with vendors are often stretched, says Jody Brazil (left), president and CTO of Secure Passage, a provider of security analysis and compliance solutions. A deal that was supposed to close in February, for example, might sit on a CSO's desk for four to six more weeks while awaiting approval. "I think it's apprehension and a conservative fiscal nature," Brazil says.
TCSG's Ferguson says that due to budget constraints, his organization has had to push back the planned implementation of network access control technologies. Also, he's delaying the replacement of hardware and, instead, is extending the life of current equipment. Still, while Gartner's Pescatore also has witnessed delays in the replacement of products, he does see growth on the horizon.
Playing in the cloud
Many are seeing a silver lining, and it's in the form of a cloud. As a result of the lowered budget at TCSG, layoffs were made and furloughs became necessary, Ferguson says. But, the team found a way to get more bang for its buck by outsourcing.
More and more companies are deciding to outsource at least some elements of security to managed services providers to take some of the load off IT security departments and remove hardware expenses, says Eran Feigenbaum (right), director of security for Google Apps.
For executives at small- and medium-sized businesses (SMBs), interest in cloud-based managed services has increased over the past two years, particularly in the past six months. SMB personnel have begun to think of it as a "no brainer" because they're getting economies of scale – more service for less input cost, Feigenbaum says.
In addition, over the last six to nine months, there has been an uptick in some of the larger, Fortune 500 companies considering this option due to lowered budgets, Google App's Feigenbaum says.
"I have a conversation with a CIO or CISO of a Fortune 500 company every day," Feigenbaum says. And, Google says it sees thousands of businesses signing up and moving to the cloud every day.
The IT security department at TCSG, for one, adopted the security-as-a-service (SaaS) model. The school replaced its hardware-based email filtering, anti-virus and anti-spam by handing those tasks over to Purewire, an Atlanta-based vendor, which can manage them in the cloud.
"We saved a half-million dollars because we would have had to upgrade hardware and do some cycle replacement," TCSG's Ferguson says.
He adds that there was some trepidation over this model at first. He originally thought that having hardware on site gave his team more control, but found that now that they're in the cloud he's still managing these services similarly. And, an added benefit is that the school is getting a much richer feature set, with anti-malware and web content caching, giving TCSG more technology for the spend, he says.
When looking for cost-savings opportunities, some businesses are implementing more efficient ways of managing compliance and risk management; others are aligning security projects with the business needs. "Most clients acknowledge that they have very complex, inefficient methods to manage compliance and risk management," says Ted DeZabala, national managing partner of security and privacy services at international consultancy Deloitte. "Lots of clients are implementing efficient programs around assessment and testing of those controls."
DeZabala (right) adds that this can bring about more efficient spending and cost savings. KPMG's Bell agrees, noting that many organizations approach technology or security compliance in silos. An antidote, however, is that some organizations are linking those projects together, managing all IT compliance and IT security controls in a consistent fashion, which can reduce labor costs necessary to conduct tests of security controls.
Where the money is
IT security departments with lowered budgets – or those among the 46 percent polled in the VanDyke survey who believe their budget is insufficient to support information security needs – should consider, "taking security where the money is," says Mark Hansard (left), vice president of security and systems at Virtela, a managed services provider based in Greenwood Village, Colo. Look for who is getting those budget dollars within the company and try building security into those projects early on, he advises. Take for example a new investment to implement a corporate-wide content management system, he says. IT security can partner with those heading up the project to build IT security and best practices into the system's design.
Whether strengthening internal working practices, looking to cloud and SaaS providers, or getting grants from the government (see sidebar below), the consensus seems to be that success during a recession means viewing lowered budgets as an opportunity to drive efficiency throughout the enterprise.
"We tell clients this is a good time to get more efficient," says Gartner's Pescatore. "Perhaps, I can be more secure, or just as secure, and spend less."
New funding: Government grants
While budgets have been lowered in both the city of Honolulu and the state of Michigan, the economic story isn't all doom and gloom. Both entities have been able to initiate new security projects through grant funding.
Gordon Bruce, Honolulu's CIO, says that his team has secured $2 million in grants for IT security projects in 2010, which will be used to upgrade physical network infrastructure, existing application security and virus firewall components. The city has a very good bond rating, making it easier to get access to capital. Also, the mayor, Mufi Hannemann, understands the value of technology and the necessity to secure it, viewing security as an enabler rather than a cost center, Bruce says.
“That's the key,” he adds. “We have a strong leader and a strong sponsor.”
Bruce says that another important ingredient to getting grants is having someone focused on seeking them out. In addition, this person must also be skilled in writing applications.
In Michigan, IT spending has gone down about $100 million annually over the past five to seven years, but at the same time, security spending has actually increased. That's because the state has received $6 million in federal homeland security grants over the past six years for 30 cybersecurity projects, including new firewalls, anti-virus and intrusion prevention systems, says Dan Lohrmann, the state's CTO.
The key to Michigan's success in securing cybersecurity grants has been to build relationships with those in the federal government, Lohrmann adds. – AM