Gartner, the research company, recently issued a stark warning to businesses. Organisations facing financial difficulties are contemplating deep cuts in IT spending, and with it, their IT security budgets.
But to do so, Gartner argues, would be both counter-productive and dangerous.
“Many organisations will spend less on security during 2009 and 2010, and some will later regret those cutbacks,” wrote Jay Heiser, Gartner research vice president, responsible for risk management and security.
Whilst it is not unusual for industry analysts to issue warnings to their clients, Gartner's research note is especially strongly worded. Moreover, Heiser's warning echoes a growing fear among IT security experts: that organisations will make short-term cuts to their information security infrastructure that could expose them to vastly greater losses later on.
As Heiser puts it, organisations should “ensure that a basic level of IT infrastructure protection is considered a mandatory part of the operations budget”, although the research firm also cautions CIOs and CISOs to be prepared for budget cuts, and reminds them of the need to ensure that information security budgets are aligned to the business' requirements. CIOs need to make “security failure the responsibility of business managers”, Gartner says.
Part of the furniture
The number of reports suggesting that CIOs are under pressure to cut IT spending has risen steadily over the last 12 months, as the recession has started to bite. At the same time, organisations have found that some IT vendors have increased their costs, especially for support and maintenance, at rates in excess of inflation.
There is little in the way of specific evidence that information security vendors are part of this trend; in fact some areas of information security have become cheaper.
Information security technologies have commoditised, and vendors have either bundled products together in information security suites, or products that were once bolt-ons are now part of basic IT infrastructure. For organisations using Microsoft technology, ‘free with the OS’ tools such as BitLocker and Windows Defender might well be able to replace paid-for technologies, at least for end users with more basic information security requirements.
“We are not seeing the cost of security technologies rise, in fact it is a little bit of the opposite,” says Howard Schmidt, president of the Information Security Forum. “Security is being built into the infrastructure. In fact it is difficult to say how much of an IT budget goes on security: firewalls, anti-malware tools and intrusion prevention are [now] part of the infrastructure and some organisations don't see that as part of security spending.”
Overall, however, spending on information security is rising. Gartner, for example, expects most of its clients to spend more on security technologies this year.
A broader mission
Information security threats to businesses and other large organisations are certainly on the increase: in tougher economic times, crime tends to increase and cybercrime is unlikely to prove to be an exception.
However, competition in the infosec marketplace is largely forcing technology vendors to absorb some, or all, of the costs of dealing with a larger and more complicated threat landscape.
Few large IT security vendors will admit to passing on higher research and development costs, for example, even though they are facing a much greater task of tracking and analysing malware. Symantec, for example, had collected 800 000 malware samples in its entire corporate history up to the end of 2007. In 2008, it collected one million new signatures. “The cost associated with that is huge,” says Guy Bunker, Symantec's chief scientist.
Broadly, however, the cost of security software has not increased in line with the volume of the information security threat. In fact, it has risen by far, far less. The main reason for rising information security budgets is that the scope of information security is widening.
“We are seeing increases in two areas: fear, and recognition,” says Richard Harrison, a security specialist at management consultants, PA Consulting. “There is a general increase in fear, because of confidentiality and worries about attacks… organisations are also more conscious about the impact of information security on their reputations.”
A few years ago, few organisations would have paid much attention to information security technologies such as whole-disk encryption or data loss prevention, with the possible exception of those that handle sensitive personal or government data. Now, such technologies are increasingly mainstream business tools for large businesses.
Many organisations have also had to increase security measures around specific business processes, as a result of government or industry mandates, such as the PCI Security Standards that now govern credit card transactions in the United States. Organisations have also found that their spending in areas such as compliance and auditing systems has increased, again as a result of mandates but also because of a need to be able to measure the impact of accidental data losses, as well as malicious attacks.
“Nothing has really changed with the classic defence in depth over the last year or two” suggests Gunter Ollmann, chief security strategist at IBM ISS. “Data loss prevention, firewall and anti-virus software is improving, as it is being updated with new signatures and engines. But the costs of managing security are increasing. The number of vulnerabilities and attempts to attack your organisation are increasing, so more people are needed to analyse log files and to monitor what is going on.”
People, processes and automation
One area where IT departments can look to cut costs is by reducing the number of people employed to carry out routine security checks, or at the very least, to stop headcounts rising.
Areas such as patch management, dealing with staff passwords and credentials, maintaining endpoint security systems such as anti-virus and firewalls, and dealing with logs and security monitoring are areas that could either be outsourced, or automated.
According to IBM's Ollman, managed security services offer a quick way for organisations to take costs out of their IT operations, by transferring labour-intensive information security tasks such as log monitoring to third parties, who can apply scale economies to the task.
Providing 24/7 monitoring of a firewall via an in-house team takes four people, Ollman suggests, but a specialist provider can do the work at a much lower cost. IBM estimates that companies can save between 40% and 60% of their IT budget this way.
But IT security teams should also look again at their working practices, to see whether automation could also free up staff time. According to Nick Seaver, a director in Deloitte's Security and Privacy team, automation tools have improved significantly over the last five years.
“A lot of what organisations wanted to do automatically, say four years ago, was beyond the reach of the technology. So IT teams had to do things the hard way,” he says. “There are now a lot of promising technologies out there. You can unwind a lot of manual processes. Take access certification, which was an incredibly difficult task. Today there is technology out there that makes that a lot easier to automate.”
Seaver suggests, however, that CIOs and CISOs should look at their business processes before rushing to invest in yet another tranche of information security technology, with another set of licence fees.
“You need to know what you are spending your time doing. Look at what is making the best use of your time, and look at what can be done in a better way. We do see a lot of people in security spending a lot of time doing repetitive tasks, for example: because a system is not working as it should. Short-term fixes often become permanent.”
Striking a deal
Organisations might also be able to reduce the time devoted to IT security, by reducing the number of vendors they buy from.
At the simplest level, giving information security staff fewer tools should mean fewer user interfaces to learn and fewer packages to support. Areas such as unified threat management take this to the next level, offering a single application with more features, but at the very least, a common management interface.
Another approach is to look at systems and assess whether they are fully used, or whether features, including security features, are still necessary. It might be that databases protected with sophisticated identity and access management systems no longer hold sensitive data. Or a newer system, deployed elsewhere in the business, might offer functionality that is at least as good, at a lower cost.
“Just doing a manual audit of the data centre can help get rid of a number of licences,” suggests Symantec's Bunker. “There are a number of places where you can control costs, without cutting IT capabilities.”
In the current economic environment, information security vendors should also be willing to negotiate favourable terms with customers who consolidate their spending, for example by moving from best of breed products to a suite. In some cases, a large IT vendor or integrator might be able to rein in security costs by acting as a lead partner, buying and managing important niche tools at a lower cost.
Most of all, however, IT departments should review their current information security spending, to see where it can be made to work harder.
“If you go back through all your contracts you will find that the level of support you are paying for today is much higher than you need, even if it was right five years ago,” says Nick Seaver. “You might have technology that is not as critical as it was, or you might be paying for 24/7 support, which you don't actually use.” He adds that as technologies mature, internal IT departments are often better able to support them at a lower cost than the vendors' premium offerings.
“We are certainly looking for better value,” says Rob Delany, IT manager of Edcoms, a consulting and research firm.
“For example, we switched from our existing anti-virus vendor to Sunbelt because the existing vendor didn't offer a discount, even for a three-year deal, but Sunbelt was cheaper even for one year. I would certainly say you should bargain with your vendors; they might be especially willing to do a deal to have their product in the door, and to build a long-term relationship.”
Avoiding death by a thousand cuts
But whilst there are savings to be made, CIOs and CISOs need to tread carefully to avoid putting their organisations in a position where a relatively small cost saving now triggers a much greater loss in the future ' or where, as Gartner warns ' they might breach operating licences.
“The cost of security incidents is high,” warns PA Consulting's Harrison. “Being able to manage out those instances is more cost-effective than dealing with them when they occur, and dealing with the reputational damage or lost opportunities and lost customers.”
“This is not the time you can afford to have a [data] loss,” agrees the ISF's Schmidt. “So the message to those asking why you have that many projects, is whether they want to prioritise IT infrastructure, information security or free soft drinks in the canteen. The question is not can we afford to do security, but can we afford not to do security?”