Shrinking Budgets Tie Hands of Security Pros

An anonymous reader writes "RSA Conference released the results of a recent survey of security professionals regarding the critical security threats and infrastructure issues they currently face, including those exacerbated by the current economic climate. The study indicates that even though practitioners are most concerned about email phishing and securing mobile devices, technologies addressing these needs are at risk of being cut from IT budgets. The survey also asked what technology investments will likely be bypassed or curtailed due to spending freezes and budget cuts."

And then there will be a price to pay.

[Z00L00K]

When the budget cut has gone far enough to strip down all security, certificates expires, competence leaves ship and nobody really knows how it works anymore. Then the cybercriminals enters the systems and use them for their purposes.

And management sits there looking completely confused because they have cut down on the people knowing how to do security.

Especially bad is it if it's about having a system that handles large amounts of economic transactions and are storing credit card and personal information about a lot of people.

Re:And then there will be a price to pay.

[Hammer]

And all of this is because IT never seems to be able to make management understand :
1) Security is not a cost but an insurance.
2) PHB's will never adhere to simple guidelines as to what is safe.
3) The bad guys are out there

IT Budgets == Bloated

People always seem to think Security is something you can BUY. You can't really 'purchase' security, all you can do is implement policies, and select tools to assist in creating and implementing those policies.

Most of these tools are free [is in beer AND speech].

One can create a secure organization with very little money.

There are a lot of unnecessary IT "expenses", like the latest BS convention ie: VoiceCon, InterOP, etc. Trim the fat from IT, and people will see what can be done for very little money.

Re:IT Budgets == Bloated

[Seth+Kriticos]

So you want to tell me that the security consultant/operator that tells how to implement witch security policies, configure firewalls/access control and the trains the staff - can be cut and you get the same for free out of thin air? How exactly do you want to accomplish that one, please share your wisdom!?

Sure, there are BS expenses, but that's a question of getting the right person to do the job.

Not just security pros...

In June of this year, my employers had a major business continuity scenario - an electrical fault with the UPS took out a lot of desktops, several servers and most of our network connectivity on one phase. This was at 6PM on a Friday. Not only is it incredibly hard to get your standard suppliers to ship any replacement gear for the following day on a weekend, its incredibly hard to actually get to talk to anyone! Now, I only recently took over the infrastructure management role, and one of my first goals was to put into place a proper Business Continuity plan. We have alternative premises with a major continuity provider on contract, but we have no plan and our actual capacity requirement now far exceeds what it was when the original alternative premises arrangement was put in place.

When this event happened, we were in a very touch and go situation - we did not know if we could recover the business for opening on Monday. And we are extremely IT reliant!

To cut a long story short - through putting in a lot of extra hours that weekend, and a lot of travelling to various IT shops within a 50 mile radius, we managed to get the business back to the point where we could open on the Monday without visible issue.

When that event happened, my BCM plan had been on the desks of the company leadership for a month. After that event, it got bumped up to the next board meeting. And at that board meeting, the entire plan was indefinitely postponed due to funding. No intermediate plan was asked for, no alternative. The plan had several different levels of expenditure to choose from, and they ignored all of them.

Barely one month after a 'can we continue to run the business' situation, the board rejected the plan which would have made that situation a non-issue, even at the cheapest option.

I now have several interviews elsewhere. The sooner I can get out of here, the better.

Posted anonymously for obvious reasons.

Re:Not just security pros...

I, too, feel your pain.

I used to work at a healthcare IT company. They had a legal requirement to have a Disaster Recovery Plan and a Business Continuity Plan, because if they were unavailable, it could impact the safety of tens of thousands of people. You know, life or death stuff.

They were also contractually obligated to to have a few other odds and ends, such as security and privacy staff, centrally managed anti-virus, configuration control, change management, security training, incident response, etc, etc, etc.

Well, they don't. Lies and more lies, smoke and mirrors, and so forth. As a security professional, it just chills me to the bone. Why the government isn't auditing them and throwing the corporate officers into jail is a mystery.

My advice: No matter how much your medical practioner argues about the benefits of going digital with your record, insist that a paper backup be made and available. It could very well save your life.

Likewise, posted anonymously for obvious reasons.

I've seen this cycle before

[WheelDweller]

No one has enough money in the budget for security, until a break-in nearly disables them. What are the chances? (Fire your security staff, and find out!)

Similarly, making copies of Windows to deploy on your business floor and ask "what are the chances?" and you'll find out. *I*didn't*call*, but a year or so after I left, I was told the company trying to get ME to pirate Microsoft Windows 98 got a visit from the BSA. And as you all know, they don't leave without a fire alarm being pulled or a $100,000 check.

When the budget thins, you cut extras; security isn't an extra. Though, putting Ubuntu on your Windows boxes will save you some real cash. And help security.