In the current economic downturn, many companies are cutting costs and security expenses are frequently part of the equation when considering where to save or spend money (Read: IT Security Spending Up for Some.) New research released Monday by RSA, the security division of EMC, tapped the expertise of ten large companies with dedicated security executives and operations and asked: How can security be managed, and even drive innovation, in the current economic downturn?
CSOs and CISOs from companies such as Cigna, eBay, Motorola and JP Morgan Chase lent their perspective on how to tackle cost challenges and, in some instances, even make the case for security investment when businesses are so weary of spending.
Art Coviello, president of RSA, gave us an overview of the five key points of the research.
Prioritize based on risk/reward
In the current economic climate, some risk may not be worth the investment, according to the research, which advises business to know how to prioritize. Decisions on spending should factor in not only where the greatest risks lie, but also where the greatest opportunities can be found.
The report, titled "Driving Fast and Forward: Managing Information Security for Strategic Advantage in a Tough Economy," also suggests tough judgment calls will be inevitable as organizations figure out which risk must be immediately addressed and those that aren't worth the cost. Coviello pointed to a large bank client as an example. The bank had invested in a customized solution from RSA to reduce fraud, but it was costing $2 million annually to operate with all of what Coviello called "the bells and whistles."
"The question became if it was worth the $2 million dollars in cost for this risk and the answer was no," he said.
The report also suggests shifting focus from the deployment of the latest security technologies to a converged security approach in the areas where the business is going.
"You'll be much more likely to get funding for your risk management efforts if you can demonstrate that your security controls will address multiple areas of risk at once," the report states. "For example, knowing who has access to what systems can help prevent fraud."
Have the right mix of people on your team
As budgets gets slashed, personnel often get cut, too. Now, more than ever, staffing with the best is essential.
"Having the right people on the core security team is more important than ever because you'll have to rely on them even more," the report states. "Members of the core security team need to have a risk/reward frame of mind and an exceptional set of skills"
Coviello also suggest repurposing people to avoid layoffs and to strategize more efficiently. That was the case recently at RSA when security incident and event manager systems allowed more automation of events. Staff that was previously in charge of tasks now automated got reassigned.
"We didn't lay those people off. Instead of growing our cost base 25 percent we were able to keep it flat," said Coviello.
Build repeatable processes
Creating standardized ways of doing things can go a long way towards creating efficiencies, states the report. Different units often have different ways of doing the same things. Can that be changed to run security more efficiently?
Coviello pointed to what the report refers to as "low hanging fruit," for easily gaining efficiencies, such as identity and access management. Does every division really need, for example, a different ID Admin Request mechanism or a different Privilege Access Management System?
"A key point is, don't reinvent the wheel," said Roland Cloutier, CSO with EMC Corp., in the research summary. "There are incredible opportunities throughout a company to leverage assets from other groups to reduce the cost of ensuring the protection of a company. That may be from IT, Audit, or the Finance group. Spend the time looking at what's already been done rather than just going and doing it again. Then trust and use the information from your internal partners."
Create an optimal shared cost strategy
"Everyone has their hand out for shared costs these days and a lot of those hands are getting slapped," said Coviello. "But the thought here is security needs to be considered in any budget and you shouldn't just rely on the core security organization to constantly be funding these. It's fundamental to any effort that you have."
According to the research, there are three categories of security activities, and each is typically paid for differently. The three categories are: Security strategy and knowledge management, critical day-to-day operations, and project engagement. Determining cost sharing can be tricky, but is essential.
"In an era when the business environment is very dynamic, how do you distribute the resources where they're needed?" said Bill Boni, corporate vice president of information security and protection for Motorola, in the report. "How does the security team guess how many resources they're going to need in order to manage all of the requirements across the organization? Instead of building a security empire, have the organizations own the incremental assets. Security provides the standards and has a governance program."
Automate and outsource wisely
"The name of the game is cost effectiveness," said Coviello, who advised companies to consider all of the implications of outsourcing before making a decision. "Considering outsourcing should be combination of factors. If it's just cost, you are making a mistake."
While outsourcing can create efficiencies and cut costs, companies should also consider that it adds on security risk in some instances, said Coviello, as the potential for data loss exists when trusting another party with an organization's sensitive information.
This story, "Five Tips for Managing Security in a Recession" was originally published by CSO.