Economic crisis could dramatically improve security in 2009
No – it’s not a typo, and, as far as I know, I haven’t lost my marbles (yet) either. The title is intended to read exactly as it appears. I suppose some explanation is in order…
If you keep abreast of what folks in the security industry are talking about with any regularity then you’ve probably read something lately about how the current economic crisis might affect corporate information security. For instance, layoffs could result in the loss of key security personnel and/or trigger retaliation from bitter employees. Others are worried that slashed budgets won’t allow security programs to buy what they need to buy, or do what they need to do. The list goes on.
[Midstream update: As I type this, I see The National Bureau of Economic Research has declared we’re officially in recession. Shocker. In other news, government sources also confirmed that temperatures in June were higher than in January.]
Despite what the title may lead you to believe, this post is not an attempt to refute these or other related hypotheses. In fact, I think there are some grounds for legitimate concern and I’ll be very interested to read any future studies that test whether or not the economic crisis had a significant impact on security (by the way, we do have our Investigative Response team looking out for signs of retaliation). What I haven’t seen yet are predictions that security will improve in 2009 due to the economic crisis. That may be because it probably won’t, but it could.
To make my point, I need to ask you to engage in a willing suspension of disbelief for the next few moments. Ready? Great, here we go.
Imagine, if you will, that your security budget has been chopped in half. Rather than following the example of many other organizations by spending 50% less on $NewSecurityThings, you decide to be different. Instead, you purchase only a few very critical $NewSecurityThings and do four things with what remains of your measly security budget:
1) Make sure your $OldSecurityThings are actually doing what you think they’ve been doing up to now.
2) Remediate any deficiencies found in Step 1.
3) Spend some time trying to identify and classify unknown or forgotten systems, data, connections, privileges, etc.
4) Apply $OldSecurityThings from Step 1 to discovered assets.
It’s not a proposal likely to wow or frighten more money from the financiers but based on our experience it’s one that could dramatically improve security for most organizations in 2009. What do you think - have I lost my marbles?
Tags: Decision Making, Economic Crisis, Essential Practices, Information Security
Another aspect of ‘zero budget security’ is that there is a lot that can be done that doesn’t require money. Why spend $$$ on an IPS when your users are running as local admins and service accounts have simple passwords? Or test systems have web servers on them whether they need them or not? low budget is a great opportunity to stop focusing on tools that stand outside the systems that actually do productive work and re-focus on configuration and password management. It’s time to start pushing back on vendors on things like service account usage and ‘required’ admin rights. We like to tell vendors ‘The only operation that requires local admin is creating other local admins. Can you explain why your application needs to do that?’ Stuff like that doesn’t require any cash and I think has a larger impact on security threats than some $$$ monitoring tool.
Posted by: Jeff Martin on December 3rd, 2008 at 2:52 pmIn your scenario, whats to say that a 50% cut in budget would only reduce the ability to buy $NewSecurityThings. In many cases proposed 2009 budget cuts are restricting the ability to renew $OldSecurityThings and/or reductions in $CriticalSecurityStaff.
That said, your point of focusing on clean-up and the fundamentals of tracking down forgotten systems is spot on. Too many times folks are focused on purchasing brand new toys without making sure the foundations are in place and still in order.
Posted by: Rich F on December 3rd, 2008 at 4:17 pmI said that I hadn’t seen anything that predicted security will improve in 2009 due to the economic crisis but that’s no longer true. I missed this: http://www.networkworld.com/community/node/33313.
It makes a completely different point, but I feel I should at least mention it to make up for my oversight…
Posted by: Wade Baker on December 3rd, 2008 at 10:10 pm1. As times become tougher, companies pay more attention to fraud. This might give a lift to security budgets, or at least the authority of security to enforce polices.
2, Secondly, reducing budgets means increased acceptance of free software. This may allow companies to use tools and operating systems that may enable additional functionality.
Posted by: steve on December 4th, 2008 at 4:41 pm@ Rich F:
Good point about 2009 budget cuts restricting not only the ability to buy $NewSecurityThings but also $OldSecurityThings and/or reductions in $CriticalSecurityStaff. If that’s the situation, one at least hopes that $OldWorthlessSecurityThings get the axe rather than $OldValuableSecurityThings. However, my cynical side makes me suspect that $Management’sPetSecurityThing will stick around while other $OldValuableSecurityThings disappear.
Posted by: Wade Baker on December 5th, 2008 at 9:17 pmI take it that you are well aware of this situation already taking place.
A slow down in the procurement is definitely a plus for some organizations.
You will revisit your existing technologies, looking at how you can gain more value from them, and drive their use further.
You can now step back review policies and procedures, and document configuration settings. Not to mention training for the transfer of knowledge. For some of us there are uncertain times ahead, which unfortunately may result in lowering our pool of people, and losing some great skills and knowledge.
I am currently interested on how technology vendors will be able to handle this? Will we see more or less innovative products next year?
Posted by: Jason Tedesco on December 9th, 2008 at 2:26 amYou haven’t lost your marbles. In the coming year security budgets won’t increase, but we will need to do more with what we have, and in most cases, less. Historically, it has been shown that crime will increase as the economy worsens. Cybercrime has already been on the rise as we all know, and the recession will only help to fuel this rise. By revisiting your policies, procedures, and standards, you can only help to improve security.
Improving security doesn’t always mean spending, it can be doing what we have stated we will do. Look at what you have and determine the best way to leverage the existing data and applying security metrics to it can be highly beneficial.
It is also a great time to educate yourself, reading and learning as much as you can, especially different viewpoints and brushing up the skills you have. Even if training budgets are cut, there are still ways to “google everything” and read up on security related blogs to see what other people are doing in the industry.
Posted by: Mike Epplin on December 18th, 2008 at 1:56 pm