Opinion: Cutting Security Costs Won't Recession-Proof Your Company
Got the recession blues? Need to shave expenses? Guest columnist Ben Rothke says you should turn off the heat before you cut security staff
By Ben Rothke
February 06, 2008 — CSO —
As 2008 starts, the short-term economic outlook is not pretty. Whether you call it a recession or a correction, the reality is that profits are down, bankruptcies are up, foreclosures are soaring, and the overall economic outlook is bleak. Companies are responding by cutting back IT budgets and staff.
With all of the cost cutting and layoffs, information security is one area that can’t afford to be cut.
First off, since 2001 CERT has argued that the insider is the most insidious security threat. (www.cert.org/insider_threat) Insiders can be current or former employees and contractors who have (or had) authorized access to their organization’s system and networks. Access plus a familiarity with internal policies, procedures, and technologies can enable these individuals to conduct attacks or collude with external attackers.
With projects being cut, organizations will naturally take the opportunity to release associated contractors and staff. Some of these people will transform from trusted insider to malicious outsider. Security incidents naturally rise during times of trouble with disgruntled staff. Significantly, it’s not just actual terminations that create security concerns - the mere threat of job loss can drive trusted employees to do nefarious things. In January of this year, a Florida woman reportedly saw a help-wanted ad in the newspaper for a position that looked like her current job, and even had her boss’s phone number listed. Assuming she was about to be terminated, she allegedly went to the architectural office where she worked and deleted seven years worth of drawings and blueprints, worth an estimated $2.5 million. (The job posting was in fact for the company of the boss’s wife.)
It is at times like these where more information security is actually needed to handle the rise in incidents. Having a reduced staff only raises the probability that such incidents will be overlooked or not handled until the damage is done.
The mission-critical aspect of information security should be seen like the heat in your building. It is an integral part of the infrastructure and working environment, and the idea of cutting it should be non-negotiable.
Pragmatic organizations, especially those within the financial services sector, are battle tested enough to know that cutting back on information security is imprudent. Organizations that follow their lead won’t suffer the inevitable outcome of those that are shortsighted enough to pursue a short-term cost savings by cutting their information security staffs. #
Ben Rothke, CISSP, QSA, is a Senior Security Consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know. Reach him at ben.rothke@bt.com.
Read more about metrics/budgets in CSOonline's Metrics/Budgets section.
Security metrics are a challenge that CSOs must meet head-on. Here is unmatched depth for identifying effective metrics, collecting them, presenting them, and using them for operational improvement and for budgeting purposes.
Security metrics: Critical issues
Case studies, innovative ideas, finanical and operational metrics, effective presentation—the Web's best practical guide to security and operational risk metrics
The great IT risk measurement debate
Alex Hutton and Doug Hubbard on what metrics you have, what you need, and what you can do about it
The security data and survey directory
5 steps for communicating security's value to nonsecurity people
Security and business financial and budgeting basics
Great information security metrics
Metrics for physical security programs
- Balancing Increasing Security Requirements with Decreasing Budgets
- Gain Control of the New Threat Landscape
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Introduction to VMware vCenter Site Recovery Manager 5
- Reliable Disaster Protection with VMware vCenter Site Recovery Manager
- Overcome Top 7 Admin Challenges of Active Directory
- X-Ray of the PCI Process-4 Proactive Steps
- Beyond SFTP: Five Ways Secure Managed File Transfer Can Improve Your Business
- Secure Managed File Transfer: Bringing Coherence & Control to Compliance
- The TCO of FTP: Hidden Costs of "Free" File Sharing
- Streamline, Speed and Secure the Supply Chain with Managed File Transfer
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
