Many
predict that 2008 will produce the tightest economic conditions since
the dot-com bust at the beginning of the decade. The subprime meltdown
and tightening credit markets mean most CIOs will feel the downward
spiral of the economy right where it hurts—in their budgets.
Unfortunately, this also coincides with the most serious threat
environment security professionals have yet faced. Hackers' tactics are
becoming more targeted. Web applications are increasing in number and
business importance, generating additional enterprise risk. Budgets may
get tight, but the CIO's responsibility remains the same: focusing on
how best to minimize risk.
Tighter budgets don't equal less attention for security. In fact, at
times like these, that may be the biggest mistake. The highest levels
of an organization are asking their CIOs, "How do we know we're
secure?" The only way to know is by understanding the risks, the return
on investment and how security not only fits into your other IT
priorities but also adds to the company's bottom line. Defending the
security budget is always a challenge, but here are four approaches
that can help.
1. Metrics make the most compelling argument. Is
your security risk going up or down over time and what is affecting it?
This is baseline data that every organization needs and should monitor.
If you cannot answer this clearly, realign your projects and priorities
to make sure you can get this information on an ongoing basis. Every
CIO should know at least three things: How vulnerable are my systems,
how safely configured are my systems and are we prioritizing the
security of the highest value assets to the business? Though security
metrics are in the early days of development and adoption, the industry
is maturing and solid measurements are available. These areas can be
assessed and assigned an objective numeric score, allowing you to set
your company's own risk tolerance and use that to make critical
decisions about where to allocate funds. As you face increased budget
scrutiny, the metrics allow you to identify—and defend as
necessary—where your security priorities are, and how security and risk
fit into overall ROI.
2. Compare your baseline to others in your industry.
The guarded nature of security data means CIOs trying to access this
type of information will have to get creative. A good place to start is
the Center for Internet Security—its consensus baseline configurations
can be used as a jumping-off point to identify areas of risk. Vertical
industry benchmarks are an evolving area, and another source may be
what you can learn from your personal relationships. Seek out others
within your industry and find out what metrics they are using and what
percentage of their IT budgets they are spending. Risk tolerance is
specific to each organization, but there are similarities within
industries that could prove helpful.
3. Learn from other areas in your company. Look to
process-oriented disciplines as a proxy for the type of evolution
facing security—network operations can be a good example. In the early
days, the only scrutiny came if things weren't working correctly. Over
the years it has matured to a level of operational metrics for uptime
and performance, embedded in quarterly and annual performance goals.
These metrics allow a continuous cycle of performance, measurement and
improvement. In addition, network operations can provide an important
lesson about single-solution economies of scale. Find solutions that
work across your entire enterprise—this is the only way to get
economies of scale in implementation and ensure that you get the
critical, enterprisewide risk metrics you need.
4. Take steps to automate your compliance process.
Are you compliant and can you routinely deliver the reports that
auditors request? The economic benefits that come from doing this
correctly are significant. Audit costs are directly related to how
complicated it is to audit and prove the integrity of a business
process, so finding a way to save the auditors' time is one of the
single biggest opportunities to drive down costs. Even though your
audit costs may be hitting the finance area's budget, meet with their
team to understand what audits are costing you, and how the right kind
of automation could lessen them. There will also certainly be time and
resource savings for the security team. There isn't an exact recipe for
compliance automation, so talk to your auditors, look at your
environment and begin the discovery of how much time is spent preparing
for and reacting to audits. If you're a company that allows your
divisions to individually automate, it's time to think about taking
those principles enterprisewide.
Regardless of budget conditions, you will still have to decide which
projects have the biggest impact on the business. The threat
environment requires that you make the absolute best decisions with
your available budget by investing in the right places and getting
better use of your resources. Lastly, remember that times of difficulty
are often times of opportunity. Lessons learned now in the face of
tighter budgets can spark valuable models of efficiency and progress
for the future.
Elizabeth Ireland is a vice president for nCircle Network
Security, a leading provider of agentless security risk and compliance
management solutions. Ms. Ireland previously held
senior management positions at Extensity and MapInfo and is a former
CPA with Ernst & Young with financial and computer audit
experience. She holds a BA in Business Administration, Accounting from
the University of South Carolina. She can be reached at eireland@ncircle.com.
/ 2 
