The tanking economy makes it a scary time to be on the frontlines of computer security. But the alternative — no company, no job — clearly is worse. So if you’re peering into your 2009 crystal ball and wondering how on earth you’ll keep the bad guys out in the middle of a financial meltdown, I hope you’ll keep the following core truths of IT security in mind:
- Your security budget has never been more crucial. Recession-era strategies often involve cutting back, hunkering down and waiting out the storm. In the security space, however, strategies like that will lead to disaster. While you think you can spend less on security in the coming year, you do so at your peril. Like trying to squeeze more miles out of tires that should have been replaced months ago, any nips and tucks to the security budget will return false savings at best, and set the stage for disaster at worst. Match any possible savings against what it’ll cost you and your company in the event of a data breach or loss. You’ll quickly realize the risk is incalculable.
- The risk landscape is getting riskier. You’re not the only one dealing with tough times. Criminals have it rough, too, and as a result, they’re getting ever craftier. The coming year will see evolving forms of malware, drive-by attacks, complex phishing scams and greater use of mobile and Web 2.0 tools. You won’t be able to beat them by memorizing last year’s playbook. My advice? Stay current and be vigilant. The criminals certainly are.
- Your CEO hates this stuff. While it’s true IT leaders in general face a bleak year convincing C-level executives that their latest initiatives need to be funded, security faces an additional challenge: It’s just not that sexy, and to the non-techie corporate executive, it isn’t worth discussing unless it contributes to the bottom line. Make sure your language focuses on the value proposition of risk management — and toss in some hard facts about the bankruptcy your organization inevitably faces if your message is rejected.
You can look at these truths in two ways: as showstoppers or as opportunities. Since my mother raised me to see the glass as half full, I side with the opportunity seekers. And there’s plenty of opportunity for security professionals who don’t just want to survive the next year but who plan on using adversity as a means of raising their game.
For example, when times are good, too many people are chattering, and security folks — never the stars of the party anyway — can barely be heard. Now, the floor is yours. When people are scared, they clam up. Like visiting an amusement park on a rainy day, this is an ideal time to get your message across, to sell the virtues of proactive investments in security infrastructure and operations.
To solidify your place on the floor in 2009, you’ll need to partner up. Lines of business that have lived through staff and budget cuts can no longer fly solo; they need input from across the organization. It’s a golden opportunity for security experts to jump in and figure out creative ways to work together. They’re more motivated now than ever to take your call.
Vendors, too, are more motivated to talk — and to make deals. When their phones stop ringing, they suddenly become much more open to easing terms that even a few months ago were nonnegotiable. The balance of power has shifted, which means now is the time to revisit existing deals and sweeten the deal in your favor.
There are countless reasons why most of us would rather spend 2009 hiding under a rock instead of facing the cold reality of managing security infrastructure and operations. The most serious economic downturn since the Great Depression already is forcing IT security professionals to defend spending and justify projects that in better times wouldn’t have been challenged. As 2009 unfolds, the internal pressure to do more with less will only intensify. Now is your chance to prove the worth of continued investments in security.
Carmi Levy is a technology journalist and analyst with experience launching help desks and managing projects for major financial services institutions. He offers consulting advice on enterprise infrastructure, mobility and emerging social media. He can be reached at firstname.lastname@example.org.