Defending security in a weak economy

With the current state of the US economy, many IT project managers understand that their budgets may be trimmed in the coming months as companies look to adjust their spending.


For instance, IndyMac has found that it's sometimes cheaper to outsource some work to partners in Kansas and other areas of the U.S. than it is to move projects to popular places like India, where competition has driven up pricing.

Other CSOs said that cutting the fat out of security budgets wherever possible and presenting spending plans in the most straightforward manner are other keys in defending against cost-cutting.

"You have to start by assuming that you won't get all the money you ask for, decide what you really need, and present a budget 10 percent higher than that, if you approach things with the economic realities in mind, it's a lot easier to get what you really need," said John Stewart, CSO at Cisco Systems. "It's also important to cut out anything you might not need or can't get to; you don't want to ask for more money for things that you can't do and risk losing money in future years."

Stewart said that security teams can also use any time freed up by projects that are put on hold to forward lower-cost efforts, such as employee education programs, that will also help lower overhead expenses.

"So many security problems are not related to spending money, but are more around people and process change," Stewart said. "If you can convince more people not to plug infected devices into your network, if you eliminate some of the initial behaviors that end up costing you time and money fixing the problems they create, that's another great way to reduce costs."

At the Source Boston 2008 conference last week, other IT security leaders offered similar advice in relation to using detailed planning and tying projects to larger business initiatives to prevent dollars from being taken out of the budget.

"You really have to manage your innovation pipeline like an investment, and if you start talking about things in this way to people who provide the money, they start seeing business drivers, how your projects can make them more nimble and profitable, and you can use that as ammo to make more investments," said Chris Hoff, chief architect of security innovation at Unisys.

"Ultimately, the more I can provide transparency about how I spend money, I can get more money and headcount," he said. "This tends to work best when I can demonstrate how I'm spending money for the right reasons, and really making a difference and not just buying toys."

"Recommended For You"

Information security metrics insanity, the 3Rs and dashboards Laggard to leader: What it takes to get there