Firms Not Cutting IT Security SpendingStewart Baines
With IT budgets flat or declining, you might have expected security spending to be similarly under pressure. But it seems CIOs faced with rising threats—including those from malware and disgruntled employees—have decided that it pays to be wary.
Indeed, several surveys have reported that enterprises are increasing their security budgets in 2009 despite cuts in overall IT budgets, with tech chiefs expecting security issues to grow this year as a result of the economic uncertainty.
Speaking to IT directors, the story is the same: downturn or not, cutting security spending is not worth the risk.
Jane Kimberlin, the IT director of Domino's Pizza, which is bucking the trend of depressing financial results thanks to diners downsizing to a takeaway, said: "We are in fortunate position of finding the downturn not affecting sales. Consequently I am not experiencing any budget constraints at all.
"Having said that, I don't think we would ever reduce our security budgets. I often talk to other CIOs in the FTSE 250 and it's not something anyone has said they would do."
Similarly David Supple, IT director for Ecotec, a management consultancy working in the public sector, said despite the tricky economic climate: "Overall our IT security budgets are not down a lot."
Crisis, what crisis?So with IT security budgets largely intact, are companies well prepared for the challenges ahead? Over the past year there have been a string of high profile data breaches, and embarrassing cases of lost laptops, USB drives and CDs in the public and private sector.
But the fear is that such mistakes could be replaced with the deliberate theft of data, with disgruntled former employers made redundant in the downturn fuelling the insider threat to IT security.
Alan Rodger, senior research analyst, Butler Group said: "The insider threat is the most significant. With people's jobs coming under threat, some will make the most of the opportunity before they leave. For others, simply being told their pay is being cut might inspire them to breach security.
"Investment over the years has focused on security threats outside of the organisation but I believe companies now need to spend a lot more time looking at the threats from within."
Rodger's stance is underlined by a recent Ponemon Institute survey of 950 people who had lost or left their jobs during the last 12 months. The research found nearly 60 per cent of them took company information, such as customer contacts, when they left.
The threat of flexibilityAs the downturn rumbles on, there is pressure from business managers to be more flexible and cut costs: get closer to customers, work from home more often, and reduce the overhead on centralised offices. The counterpoint is that data leaves the once fortified confines of a company's premises.
"My internal customers need to be more mobile and so we have seen an explosion of devices on market like netbooks which help them do this. I have to get the balance between making services accessible and security, and security has to win every time," Domino's Kimberlin said.
"But we have to recognise that there is a blurring between our work and personal lives so if our employees want to use social networking for instance, we let them do it as long as it doesn't compromise our security," she continued.
Ecotec's Supple added: "Employees are working at weekends and in the evenings from home, maybe when they were not doing it before and using equipment that is not ours," adds Supple. "Our perimeter has grown."
So what can an IT director do when faced with conflicting pressures to make working practices more flexible, yet make access to sensitive corporate data more secure, particularly when there is little money around for investment in anything other than business-as-usual security? The trick is to focus investment on where it makes a difference.
Butler Group analyst Rodger said: "Over the years, most IT security projects have not had to be qualified by a business case but that is changing. Many businesses are recognising that they need to assess the risk, and find a balance between financial cost and the probability of a breach happening.
"When you understand the risk—and how the economic crisis could increase risks—you stop making short-term cost savings in the IT security budgets in ways that leaves you open to the worst risks."