Defending security in a weak economy

IT project managers may be facing budget cuts in the coming months, but with the right arguments, they can minimize the financial damage

With the current state of the U.S. economy, many IT project managers understand that their budgets may be trimmed in the coming months as companies look to adjust their spending.

By pitching the continued importance of their efforts to other business leaders in the right terms, IT security executives may be able to minimize the extent to which their finances are reduced and keep important new projects alive, according to a handful of high-profile chief security officers (CSOs).

Appearing at the CSO Perspectives Conference in Atlanta this week, Boulton Fernando, CSO of IndyMac Bank, outlined the challenges facing security leaders during the economic turmoil currently presented to companies like his own, which is navigating its way through the ongoing mortgage lending crisis.

Through strong planning and innovative thinking, he said, progress can continue to be made in issues of IT security even as business leaders scrutinize every penny they spend in the area.

"My agenda for 2008 is survival, we have to look at how to make it through difficult and challenging times and focus on how to the keep lights on in '08 and still make it through and be stronger in '09," Fernando said.

"Part of the plan was to show our board [projects] we wanted to do but can't afford, and they in turn said we still need to work on a lot of these things," he said. "Once you ask them how to address these types of issues and ask them what they want you to do, they often turn around and open their wallets."

In some cases, the best strategy to keep projects alive as spending flattens is to slow down new technology installations and move efforts from proactive status closer to risk avoidance, the CSO said.

Another useful tactic is to attempt to shift projects that have taken on a more operational bent, such as identity and access management, and push those over to other areas of the IT department.

Focusing on truly strategic efforts will make it harder for budget makers to cut away at security finances, Fernando maintains.

"These are also the most interesting projects to work on," he said. "But for something like anti-virus, evaluate products and then hand it over to IT operations teams and merely provide oversight; the same with firewalls."

Outsourcing is another strategy that flexes its true strengths during lean times, and companies should make sure they shop for the best rates in offloading any of their operations to that end, said Fernando.

For instance, IndyMac has found that it's sometimes cheaper to outsource some work to partners in Kansas and other areas of the U.S. than it is to move projects to popular places like India, where competition has driven up pricing.

Other CSOs said that cutting the fat out of security budgets wherever possible and presenting spending plans in the most straightforward manner are other keys in defending against cost-cutting.

"You have to start by assuming that you won't get all the money you ask for, decide what you really need, and present a budget 10 percent higher than that, if you approach things with the economic realities in mind, it's a lot easier to get what you really need," said John Stewart, CSO at Cisco Systems. "It's also important to cut out anything you might not need or can't get to; you don't want to ask for more money for things that you can't do and risk losing money in future years."

Stewart said that security teams can also use any time freed up by projects that are put on hold to forward lower-cost efforts, such as employee education programs, that will also help lower overhead expenses.

"So many security problems are not related to spending money, but are more around people and process change," Stewart said. "If you can convince more people not to plug infected devices into your network, if you eliminate some of the initial behaviors that end up costing you time and money fixing the problems they create, that's another great way to reduce costs."

At the Source Boston 2008 conference last week, other IT security leaders offered similar advice in relation to using detailed planning and tying projects to larger business initiatives to prevent dollars from being taken out of the budget.

"You really have to manage your innovation pipeline like an investment, and if you start talking about things in this way to people who provide the money, they start seeing business drivers, how your projects can make them more nimble and profitable, and you can use that as ammo to make more investments," said Chris Hoff, chief architect of security innovation at Unisys.

"Ultimately, the more I can provide transparency about how I spend money, I can get more money and headcount," he said. "This tends to work best when I can demonstrate how I'm spending money for the right reasons, and really making a difference and not just buying toys."