More than 70 percent of IT security professionals said they have been forced to cut their budgets during the past six months to adjust for the economic downturn, according to a report released by (ISC)2, an association of security professionals. Approximately half of the respondents said they have made at least one layoff in the security department.
The data runs counter to several other studies published earlier this year, in which most security professionals had said their spending would hold steady or increase in 2009. "The current economic conditions have had an effect on all professions, including information security," said Lee Kushner, president of LJ Kushner & Associates, a national IT recruiting firm.
The data in the (ISC)2 report is supported by a separate report issued last week by MetroSITE, a security consulting firm. MetroSITE found that 72 percent of companies surveyed expect to make downward revisions of their security budgets during the remainder of the year.
None of this data surprises me. With fewer new IT initiatives, and those that do survive the budget cuts being less ambitious, there's going to be less need for new security gear. And it fairs well with my belief that IT security is recession resilient, not recession proof.
But the steady head-pounding of new regulations and waves of attacks that just don't let up: the need and the budget for infosec isn't going away, and it's not going to be cut as deep as other areas of IT investment.
So, maybe, instead of buying new security technologies because they're the latest cool thing -- invest in security equipment that helps to consolidate vendors and processes where possible and makes sense. Take the time to start moving security testing into the early stages of software development and throughout QA testing; look for ways to automate vulnerability assessments and patch deployment; seek out and destroy redundant internal regulatory and compliance tests; and put into place an effective and visibility security awareness program. Your people are probably a much weaker link in your IT security chain than many areas of your infrastructure. Now's a good time to strengthen them through awareness and steady security reminders.
Just because your budget may have taken a hit, doesn't mean your risk posture has to slouch.