Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shrinking Budgets Tie Hands of Security Pros

Posted by CmdrTaco on from the plastic-handcuffs-for-everyone dept.

An anonymous reader writes "RSA Conference released the results of a recent survey of security professionals regarding the critical security threats and infrastructure issues they currently face, including those exacerbated by the current economic climate. The study indicates that even though practitioners are most concerned about email phishing and securing mobile devices, technologies addressing these needs are at risk of being cut from IT budgets. The survey also asked what technology investments will likely be bypassed or curtailed due to spending freezes and budget cuts."

3 of 63 comments (clear)

  1. Budget has always been a problem by walmass · · Score: 5, Insightful

    The survey is reporting something that every single security professional that has managed a budged had known for a long time, even before the recession (except may be the preriod around Y2K)

    The sad truth is, at most companies management sees security is an unnecessary cost that they reluctantly tolerate because of SOX and industry regulations like PCI-DSS. They are quick to point out that security does not earn profits (and forget that it actually protects the profits). So the CEO tells the CIO to trim his budget, and given the choice of keeping the servers functioning or users getting phished, the CIO opts for more pressing need. (at 99% of the places, the security function reports to the CIO or CTO but that is for another bitching session)

    Then of course something goes wrong, and the security person gets yelled at because s/he did not do his job. So then the coffers open, and the company spends a ton of money that could have been fixed for less at the right time (TJX breach).

    The solution lies with security pros: they need to frame their budget requests as business cases: if we do X, we will protect $Y of revenue (Point out that a data breach at company ABC cost them $ZZ). And if management does not fund the budget, have them formally, in writing, accept the risk.

    And always keep your resume updated :-)

  2. Re:And then there will be a price to pay. by Hammer · · Score: 5, Interesting

    And all of this is because IT never seems to be able to make management understand :
    1) Security is not a cost but an insurance.
    2) PHB's will never adhere to simple guidelines as to what is safe.
    3) The bad guys are out there

  3. Cheaper than the alternative . . . by grahamsaa · · Score: 5, Insightful

    I'm fortunate to manage an IT department at a company that values security. We do routine audits and pen test our own systems -- occasionally we find a hole, and we fill it. I've never been pressured to skimp on security.

    Other commenters may argue that security is not something that companies can "buy," and they're right, to a point. Expensive proprietary firewalls are, in my experience, no better (and sometimes far worse) than a properly configured linux box. But companies do have to "buy" security in the sense that they need to budget time to ensure that systems are properly configured. I can set up a linux firewall in a matter of minutes, but to do it properly (especially when it must allow VPN, SSH, access to multiple databases, limited FTP, etc.) it takes much more time.

    If companies realize how much their data is (are?) worth, they should also consider what's at stake if it's stolen or misused. Security doesn't have to be the primary investment for most companies, but it must be a high priority. If it's not, eventually bad things will happen.

    --
    Facts have a liberal bias.