Network security 2009 trends: Mergers, security budget cuts

Don't miss need-to-know info! Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.co.uk and you'll never be behind the curve!

We'll be asked to do more with less. OK, I admit this one's not rocket science. It shouldn't be a surprise to anyone that the global economy is in tough shape, and we've yet to get even a glimpse of the light at the end of the tunnel. For network security managers that haven't already been asked to reduce the size of their staffs or budgets, now's a good time to start drafting a contingency plan. While the hope is that security budgets will remain intact, security managers would be wise to consider how they would implement a 5%, 10% or even greater budget reduction. This exercise can be beneficial even if a budget isn't reduced, as it shines a spotlight on the less effective ways that financial resources are currently being used. In addition, ponder ways to optimize the use of security staff. If you planned on adding headcount to your organization in the near future, there's a good chance you'll be asked to back-burner those plans. Are there ways your staff can do more with less? Would any of your staff be willing to move to part-time status if the opportunity arose? Could flexible work arrangements or title changes be used as an alternative to pay increases if budgets are tight this year? Would the use of managed service providers (see below) help to reduce the demands on your staff?

Preserving jobs is always a top priority, and to do so, it may be essential to demonstrate that you've got your eye on the bottom line and are willing to make tough choices for the benefit of the organization. For example, if you've budgeted an expensive firewall upgrade this year, it's smart to consider whether that upgrade cycle can be extended by 12 months. Moving from a four-year to a five-year hardware replacement cycle is equivalent to a 20% cost savings. If after an analysis it's determined that the upgrade needs to happen now, be prepared to explain to the CIO exactly why the new product should take priority over others being considered.

Several vendors will close their doors or consolidate. The tough economic times won't be limited to those of us on the client side. Our shrinking budgets will cause a ripple effect in the security vendor community, and several vendors currently "on the bubble" may slip off the radar. Those with solid products and/or customer bases may be purchased by larger firms seeking to expand. I've already seen this happen once in late 2008 when High Tower Software suddenly ceased operations and announced its intent to sell its Cinxi SIEM platform. This is an important trend to keep in the back of your mind if you're lucky enough to be in purchasing mode right now. Buyers may want to think twice before entering into a long-term relationship with a smaller firm that may not survive the year. The loss of a vendor can have a serious effect on network security operations. Depending upon the type of device and its role in the infrastructure, it could severely affect the organization's security posture. For example, a firewall vendor going out of business is a big deal; if the device malfunctions or fails altogether, support will no longer be available, and this could jeopardize the availability of the entire infrastructure. That said, the failure of an antivirus vendor is a catastrophe; virus definition updates would no longer be available and the effectiveness of the organization's malware defense system will degrade rapidly. In addition to considering financial stability as a criteria during any vendor selection process, now would be a good time to take stock of the financial status of all current vendors to determine whether you need to re-evaluate those relationships.

Future security threats: Enterprise attacks of 2009 John Strand reviews which information security threats we'll see in 2009.

We'll continue to witness the rise of managed service providers. Many security services are quickly approaching commodity status, and, amid pressures to minimize headcount, many enterprises have sought to outsource security tasks to the greatest extent possible. I've seen several organizations adopt Software-as-a-Service (SaaS) products, such as the vulnerability-scanning platform from Qualys Inc. and the Web vulnerability scanner from WhiteHat Security Inc., as a way to reduce costs. At the same time, vendors who traditionally sold security appliances are shifting to a NOC approach, offering 24x7 monitoring and maintenance for firewalls, intrusion prevention systems and the like. SaaS security tools offer tremendous benefits; enterprises are no longer responsible for maintaining and upgrading the tool itself, and your staff is left working in its core area of expertise: security management. Managed service providers take this a step further and outsource the analysis as well. On the flip side, using any of these services introduces some degree of risk, as confidential information about security posture is being shared with a third party. If you're not already considering using one of these services, put it on your short-term radar screen.

Our mindset will shift from compliance to operations. Whether you like it or not, many of us have spent the last three to five years focused on compliance issues. PCI DSS, Sarbanes Oxley, HIPAA and GLBA are just a few of the laws and regulations that security managers have been tasked with managing or helping with. Now that the industry has focused on compliance for some time, the urgency to comply by and large has lessened to a degree. Expect to see pressure from within the organization to move your security resources back into a supporting role, providing security consulting support to business initiatives.

I don't mean to paint a "doom and gloom" picture for 2009; the coming 12 months will be full of opportunities to grow and excel. Take the opportunity to streamline the use of both human and financial resources. It's healthy for any organization to periodically re-evaluate expenses, vendor relationships and business priorities. However, it would be ignorant to stick our heads in the sand and attempt to ignore the state of the economy and the potential impact it will have on our business. Rather, it's important to adopt an opportunistic attitude and prepare for the inevitable changes we'll face. Best wishes for a happy and prosperous 2009!

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network security tips Cloud-based services require stalwart business continuity plans How to perform an Active Directory health check Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Windows management tips: How to backup and restore Active Directory Cloud computing compliance: Exploring data security in the cloud Configuring a Windows network infrastructure: Wired, wireless security How to use Google Webmaster tools to help protect your site How to set your baseline with host integrity monitoring software A closer look at Internet Explorer 8 security features Network discovery and the Simple Network Management Protocol Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Security Policies and User Awareness Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Cut down on calls to help desk with cybersecurity awareness training Layoffs prompt insider threat fears, cybersecurity survey finds How to write an information security policy RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.