The past two years have transformed the way the world does business. The global economic crisis has led to many transformations in the way businesses operate both here and abroad.
Austerity has been the key defining principle for investment and operations. Professionals across all organizational disciplines have been challenged to do more with less…in fact, some organizational functions went into bare-bones, life-support mode. Information security and other risk management disciplines were challenged to operate with less resources and more demands for success.
Throughout the tumult of the past two years, information security professionals have learned to adapt and be flexible in facing the challenge of keeping up with advances in technology, reduced workforces and changing business processes and operations.
Securing organizations with a skeleton staff has been quite a challenge, and yet many security leaders have managed to accomplish the seemingly impossible. By weathering the storm we have proven that the initial investment in security infrastructure is sufficient to protect the enterprise.
The latest reports from financial pundits state that the recession is over and investment and spending will once again be he hallmark of successful organizations. The question on the minds of information security leaders is whether funds will be directed into their budgets.
Have we, by doing a great job by operating with a bare-bones budget, signed our own death knell? How can security leaders ask for budget increases when we have demonstrated that we can manage to keep our organizations secure with less investment that we traditionally demanded?
It is incumbent on the astute security leader to craft a business case for investment in security products and solutions that will keep pace with the advances in technology that continue to sweep the nation.
The FUD (fear, uncertainty and doubt) principles no longer apply. We need to devise a new business case for advancing the contributions that information security can make to organizations. The concept of return-on-investment needs to be retired and replaced by the concept of “cost of doing business”.
Information security leaders have the unique opportunity to integrate security controls into each and every aspect of newly evolving business operations. The change needs to focus not on technology but rather on culture. By emphasizing the importance of early integration of security into the organization's operating model, a business case can be made supporting additional investment for security.
The landscape for security professionals is still slippery. A prudent and conservative approach to increasing security investment may be more successful than demanding that things go back to the way they were.
The new security leader will be a hybrid of technology savvy as well as business savvy. Speaking the language of the business leaders who control the coffers will ultimately serve the organization and its stakeholders better than the traditional approach used for decades.