Just Because Security Budget Takes A Hit, Doesn't Mean Security Has To

At last week's RSA Conference in San Francisco, there was as much talk about the economy as there was on IT security. And while the show appeared to pull a healthy number of attendees, at times the show floor seemed filled with more vendor reps and consultants, than IT buyers. But a few studies released last week show while vendor's may like to hype fear, the infosec economy certainly isn't all gloom and doom.From Tim Wilson, over at DarkReading.com:

More than 70 percent of IT security professionals said they have been forced to cut their budgets during the past six months to adjust for the economic downturn, according to a report released by (ISC)2, an association of security professionals. Approximately half of the respondents said they have made at least one layoff in the security department.

The data runs counter to several other studies published earlier this year, in which most security professionals had said their spending would hold steady or increase in 2009. "The current economic conditions have had an effect on all professions, including information security," said Lee Kushner, president of LJ Kushner & Associates, a national IT recruiting firm.

The data in the (ISC)2 report is supported by a separate report issued last week by MetroSITE, a security consulting firm. MetroSITE found that 72 percent of companies surveyed expect to make downward revisions of their security budgets during the remainder of the year.

None of this data surprises me. With fewer new IT initiatives, and those that do survive the budget cuts being less ambitious, there's going to be less need for new security gear. And it fairs well with my belief that IT security is recession resilient, not recession proof.

But the steady head-pounding of new regulations and waves of attacks that just don't let up: the need and the budget for infosec isn't going away, and it's not going to be cut as deep as other areas of IT investment.

So, maybe, instead of buying new security technologies because they're the latest cool thing -- invest in security equipment that helps to consolidate vendors and processes where possible and makes sense. Take the time to start moving security testing into the early stages of software development and throughout QA testing; look for ways to automate vulnerability assessments and patch deployment; seek out and destroy redundant internal regulatory and compliance tests; and put into place an effective and visibility security awareness program. Your people are probably a much weaker link in your IT security chain than many areas of your infrastructure. Now's a good time to strengthen them through awareness and steady security reminders.

Just because your budget may have taken a hit, doesn't mean your risk posture has to slouch.