It is no secret that times are tough. This economic downturn has hurt organizations of all sizes, and unfortunately, IT often gets hit with the brunt of budget cuts. Layoffs, cancelled projects and reduced funding force IT management to sharpen their pencils and make do with less. Within IT, information security is a common target for cutbacks. Some managers perceive security as lacking the returns on investment in comparison to a new e-commerce application or high-performance storage appliance.
It is possible for customers to maintain security amid budget cuts. Through a combination of streamlined processes and multifunction technologies, security solution providers can help customers lower the costs associated with information security without reducing effectiveness. For service providers, this is an opportunity to help budget-strapped customers with services and deployments that maximize investments.
Cutbacks create security risks
Reducing staff or security resources has risks, but they are often overlooked in budgeting meetings and discussions. Harried managers may succumb to the "optimism bias" and believe that the lack of any obvious, immediate security problems warrants cutting security staff or projects. Cuts do have an obviously negative effect on security, but customers may not recognize some of the less obvious risks:
- Overtaxing – Having fewer people to complete the same amount of work opens the organization to numerous security risks. Overtaxed staff may make more mistakes or ignore threats that may not seem to present an immediate risk to daily operations.
- Outdated security – Security is a thriving organism in which both attackers and safeguards are constantly evolving and maturing in response to new vulnerabilities. Five-year-old security technologies are outdated and prone to failure. Putting off an upgrade for another year leaves valuable assets open to new attack tactics or vulnerabilities.
- Short term planning – Budget cuts often result in "short-term" decision making. This results in security deployments that merely solve an immediate problem and do not integrate into a larger security or compliance effort, which can lead to problems later when the "Band-Aid" deployment becomes the new de facto standard for the company.
- Non-compliance – Hard-won efforts to become compliant with standards (such as the Payment Card Data Security Standard, or PCI DSS) can quickly unravel in the face of employee churn, lax security or cutbacks.
- Event-driven focus – Reducing staff shifts the organization's focus from strategic planning and governance to a more event-driven or "fire-fighting" mode. This can exhaust staff and reduce its ability to detect and respond to security incidents.
- Morale – Layoffs tend to lead to poor morale in any organization. If people suspect they are going to lose their jobs, they are much more likely to steal data, sabotage systems, hold systems or data hostage or worse. This is particularly problematic if the cuts involve people with administrative rights to systems.
As a solution provider, the best way to help customers is to educate them about these risks and propose ways to avoid them. This two-part article presents some strategies and tactics for how service providers can help organizations who are facing (or have already experienced) cutbacks.
Understanding managed security services: An intro for VARs
Continued developments in technology and a greater acceptance of "outsourced IT security" have allowed MSSPs to push their services down to midsized businesses.
Managed services, outsourcing helps with security maintenance
One of the more daunting aspects of security is the need to remain constantly vigilant. Reducing IT staff will not reduce the number of issues an IT department must handle, and security attacks do not decline when people are laid off. In fact, organized cybercrime thrives on the lax security of a bad economy. Layoffs also usually increase insider theft and misuse, creating even more security risks for the IT department to handle.
Managed or outsourced services are an ideal way to help customers through periods of reduced headcount. However, some services are more easily outsourced than others. Many security functions require regular maintenance, analysis or monitoring to be effective. For example, event and security logs need to be regularly reviewed to determine if there are any security problems. Intrusion prevention/detection systems also require routine "care and feeding."
With cutbacks looming, most IT departments, especially at smaller organizations, lack the resources to dedicate staff to perform routine maintenance or analysis tasks. Offering security analysis or review service once a week or month can help a customer maintain vigilance at a fraction of the cost of hiring a full-time staff.
The key to successfully selling managed services is being able to demonstrate the value of the service and the cost savings. Many organizations see managed security services as just another cost that must be cut in tight times, but when compared to full-time employees' salaries and expenses, managed services are usually far more efficient.
Another objection that customers may raise is their desire to do everything in-house. Some IT people believe that outsourced services makes them look bad. It looks like the staff cannot handle the work. In reality, outsourcing actually extends and enhances the ability of IT people to do more work. It frees them to focus on more complex problems or help internal staff improve processes or systems.
Outsourcing has other drawbacks that solution providers should consider before going to market with outsourcing options. One challenge is understanding the larger business issues. An outside consultant will not be involved in the daily operations of the business, and may miss many nuances that do not translate into a managed service. For example, a technician may be able to analyze logs and identify an intrusion, but that person may not understand the context of that event in relation to other activities within the organization.
There are ways around this problem. Solution providers delivering managed services must also manage expectations with customers. This means having a clear understanding of what the customer expects you to accomplish, and also an acknowledgement of the limits of what the service can do. Moreover, technicians need to communicate with the customer on a regular basis. Reassuring emails and phone calls may seem like a waste of time to a technician, but they can make a world of difference between a satisfied and unsatisfied customer, whose only interface might be those communications. More generally, it's important that consultants respect the customer's perspective on the relationship.
In our next tip, we'll explore other ways to maintain security vigilance after budgets cuts. We'll review how to find security gaps, condense security operations and work more effectively with customers.
About the author:
Andrew Plato, CISSP, CISM and QSA, is president and principal consultant at Anitian Enterprise Security. Andrew has over 20 years of experience in information systems, networking and computer security. Prior to running Anitian, he was a database developer and technical writer for Microsoft. From 1997-2000 he helped develop the BlackICE intrusion prevention system for NetworkICE Corp. which was later acquired by Internet Security Systems.