Those who attended the recent World Economic Forum in Davos, Switzerland reported that the prevailing mood was “circumspect.” Though there was relief that a global financial crisis may have been averted, both companies and countries continue to experience significant economic challenges.
To be sure, there is a sense that the worst has passed, but uncertainty hovers as declining tax revenues are forcing many government agencies into spending cuts. In the United States, the threat of across-the-board cuts to agency budgets (called "sequestration") looms in the air. Companies are hesitant to use cash on the balance sheet to fuel expansion, wondering if demand exists.
The picture has improved from the lowest point, and there is now a willingness in the C-suite to consider improvements, something that was absent a few years ago. However, the hovering uncertainty suggests that if revenues fall below a critical point, that willingness might disappear and budgets may be slashed to compensate for the shortfall. Staffing is already at the lowest level seen in a long time – consider the jobless recovery and stubbornly high unemployment numbers. Any semblance of “luxury” will be among the first to go.
How will the security budget fare in such a scenario?
For those in the IT security field, it seems a frivolous question. We know from experience that unpatched systems or unprotected network perimeters are very quickly breached. It is unthinkable that anything less than a “basic” level of security is acceptable for operations. This level is not a luxury, but a cost of doing business for operations of any size.
However, the definition of “basic” for the security practitioner may be quite different than for a CFO. The way management see things, once revenue is compromised, cuts must be made. Any items that do not provide obvious and immediate benefits, including security costs, are closely examined. Absent credible justification, they are all expendable and subject to being cut.
We are conditioned to fear what we see, so it may be difficult for management to see IT security threats. Accordingly, during stressful times, management may be willing to consider threats as distant likelihoods – That can't possibly happen to us" – and accept compromise with much greater risk than during normal times. Management that does accept that a “basic” level of security spend is necessary, finds it hard to determine how much security is enough.
So what is a “basic level of security?” While this depends on the environment, it is a question best asked and answered before the crisis. The answer would include such staples as authentication, encryption for remote access, patch management and anti-virus software for businesses of any size. It may also include vulnerability scanning, intrusion detection and a security information event management (SIEM) system. The answer may also be driven by contractual and legal obligations, and not just budget availability.
A problem in the IT security industry is that many professionals never learned to speak the language of business and struggle to demonstrate the business benefits of the security budget in a credible manner.
An all-too-common practice is to adopt a “sky is falling” approach, hinting darkly at severe consequences to any budget reduction.
This situation is currently in play in U.S. public policy with the Department of Defense facing the threat of sequestration. Some lawmakers appear unwilling to make any compromises on defense budgets, despite severe constraints on revenue.
In commercial enterprises, people with such a mindset are often perceived by management as overestimating risk, perhaps for the sake of their own career, or department, and likely to be marginalized. After all, management is confronted with more pressing risks such as revenue and profit. It goes without saying that organizations that curtail the security budget today will regret this tomorrow, but that will not help the organization or the security manager who may be long gone by then.
To make effective decisions on security controls, business needs must be placed foremost. Accept that not all data and systems merit the same level of protection. The crown jewels belong in the Tower of London and loose change in the bedside drawer. A classification of assets with the help of the asset owner is essential to right-sizing security controls. When considering controls beyond these “basic” protections, the IT asset owner is often in a better position than the security team to evaluate risk and, if cuts are required, to accept compensating controls. Such an inclusive approach is more likely to be successful as it includes business rationale.
It is noteworthy that during times of financial stress, the insider threat increases, as do competitive pressures. Processes that guard against such threats must be considered part of the “basic” baseline. Unlike businesses, governments cannot cease operations and declare bankruptcy. This puts an onus on them to protect taxpayer data regardless of budget problems.
The flip side of this coin is that security managers who take into account the needs of the business and can explain the compliance needs or the increasing rate of cyber crime in their industry are better positioned to maintain security budgets. Good security is linked to good business.
IT security required for operations is an intrinsic part of operations, not a separate luxury item.