It is no secret that times are tough. This economic downturn has hurt organizations of all sizes, and unfortunately, IT often gets hit with the brunt of budget cuts. Layoffs, cancelled projects and reduced funding force IT management to sharpen their pencils and make do with less. Within IT, information security is a common target for cutbacks. Some managers perceive security as lacking the returns on investment in comparison to a new e-commerce application or high-performance storage appliance.
It is possible for customers to maintain security amid budget cuts. Through a combination of streamlined processes and multifunction technologies, security solution providers can help customers lower the costs associated with information security without reducing effectiveness. For service providers, this is an opportunity to help budget-strapped customers with services and deployments that maximize investments.
Cutbacks create security risks
Reducing staff or security resources has risks, but they are often overlooked in budgeting meetings and discussions. Harried managers may succumb to the "optimism bias" and believe that the lack of any obvious, immediate security problems warrants cutting security staff or projects. Cuts do have an obviously negative effect on security, but customers may not recognize some of the less obvious risks:
As a solution provider, the best way to help customers is to educate them about these risks and propose ways to avoid them. This two-part article presents some strategies and tactics for how service providers can help organizations who are facing (or have already experienced) cutbacks.
One of the more daunting aspects of security is the need to remain constantly vigilant. Reducing IT staff will not reduce the number of issues an IT department must handle, and security attacks do not decline when people are laid off. In fact, organized cybercrime thrives on the lax security of a bad economy. Layoffs also usually increase insider theft and misuse, creating even more security risks for the IT department to handle.
Managed or outsourced services are an ideal way to help customers through periods of reduced headcount. However, some services are more easily outsourced than others. Many security functions require regular maintenance, analysis or monitoring to be effective. For example, event and security logs need to be regularly reviewed to determine if there are any security problems. Intrusion prevention/detection systems also require routine "care and feeding."
With cutbacks looming, most IT departments, especially at smaller organizations, lack the resources to dedicate staff to perform routine maintenance or analysis tasks. Offering security analysis or review service once a week or month can help a customer maintain vigilance at a fraction of the cost of hiring a full-time staff.
The key to successfully selling managed services is being able to demonstrate the value of the service and the cost savings. Many organizations see managed security services as just another cost that must be cut in tight times, but when compared to full-time employees' salaries and expenses, managed services are usually far more efficient.
Another objection that customers may raise is their desire to do everything in-house. Some IT people believe that outsourced services makes them look bad. It looks like the staff cannot handle the work. In reality, outsourcing actually extends and enhances the ability of IT people to do more work. It frees them to focus on more complex problems or help internal staff improve processes or systems.
Outsourcing has other drawbacks that solution providers should consider before going to market with outsourcing options. One challenge is understanding the larger business issues. An outside consultant will not be involved in the daily operations of the business, and may miss many nuances that do not translate into a managed service. For example, a technician may be able to analyze logs and identify an intrusion, but that person may not understand the context of that event in relation to other activities within the organization.
There are ways around this problem. Solution providers delivering managed services must also manage expectations with customers. This means having a clear understanding of what the customer expects you to accomplish, and also an acknowledgement of the limits of what the service can do. Moreover, technicians need to communicate with the customer on a regular basis. Reassuring emails and phone calls may seem like a waste of time to a technician, but they can make a world of difference between a satisfied and unsatisfied customer, whose only interface might be those communications. More generally, it's important that consultants respect the customer's perspective on the relationship.
In our next tip, we'll explore other ways to maintain security vigilance after budgets cuts. We'll review how to find security gaps, condense security operations and work more effectively with customers.
About the author:
Andrew Plato, CISSP, CISM and QSA, is president and principal consultant at Anitian Enterprise Security. Andrew has over 20 years of experience in information systems, networking and computer security. Prior to running Anitian, he was a database developer and technical writer for Microsoft. From 1997-2000 he helped develop the BlackICE intrusion prevention system for NetworkICE Corp. which was later acquired by Internet Security Systems.