Defending security in a weak economy

With the current state of the U.S. economy, many IT project managers understand that their budgets may be trimmed in the coming months as companies look to adjust their spending.

By pitching the continued importance of their efforts to other business leaders in the right terms, IT security executives may be able to minimize the extent to which their finances are reduced and keep important new projects alive, according to a handful of high-profile chief security officers (CSOs).

Appearing at the CSO Perspectives Conference in Atlanta this week, Boulton Fernando, CSO of IndyMac Bank, outlined the challenges facing security leaders during the economic turmoil currently presented to companies like his own, which is navigating its way through the ongoing mortgage lending crisis.

Through strong planning and innovative thinking, he said, progress can continue to be made in issues of IT security even as business leaders scrutinize every penny they spend in the area.

"My agenda for 2008 is survival, we have to look at how to make it through difficult and challenging times and focus on how to the keep lights on in '08 and still make it through and be stronger in '09," Fernando said.

"Part of the plan was to show our board [projects] we wanted to do but can't afford, and they in turn said we still need to work on a lot of these things," he said. "Once you ask them how to address these types of issues and ask them what they want you to do, they often turn around and open their wallets."

In some cases, the best strategy to keep projects alive as spending flattens is to slow down new technology installations and move efforts from proactive status closer to risk avoidance, the CSO said.

Another useful tactic is to attempt to shift projects that have taken on a more operational bent, such as identity and access management, and push those over to other areas of the IT department.

Focusing on truly strategic efforts will make it harder for budget makers to cut away at security finances, Fernando maintains.

"These are also the most interesting projects to work on," he said. "But for something like anti-virus, evaluate products and then hand it over to IT operations teams and merely provide oversight; the same with firewalls."

Outsourcing is another strategy that flexes its true strengths during lean times, and companies should make sure they shop for the best rates in offloading any of their operations to that end, said Fernando.

For instance, IndyMac has found that it's sometimes cheaper to outsource some work to partners in Kansas and other areas of the U.S. than it is to move projects to popular places like India, where competition has driven up pricing.

Other CSOs said that cutting the fat out of security budgets wherever possible and presenting spending plans in the most straightforward manner are other keys in defending against cost-cutting.