I wrote some of my views on information security cost cutting a couple of weeks ago. You can read them here: http://www.computerweekly.com/blogs/stuart_king/2008/07/reducing-security-costs.html.
On a related note I was reading an article by Charles Cresson Wood published in the latest Computer Security Institute newsletter entitled "Preventing IT Budget Cuts from Adversely Impacting Information Security."
Charles writes that "it seems that budgets for information security are often cut significantly in the midst of a downdown" and he proposes a corporate policy to "make information security more of a permanent part of the organisational structure" and a normal and expected "cost of business."
The problem with this approach is that it sounds too much like taking desperate measures to keep hold of territory when instead we should be using inititative and imagination to get more from the resources we've got and accepting that cost cutting is something we just have to deal with and adjust to. Don't fight the business, work with it.
Somebody today forwarded to me a great call-to-arms from the CEO of an American company to his workforce, talking about current economic conditions and how their organisation is going to meet the challenges. The message states
Anybody can cut costs. And it doesn't take much talent to throw money away on ill-conceived "strategic investment" that produces no return.
The message goes on to talk about the need to maintain a strong performance through tough times, and he finishes by saying
These goals only appear to be in conflict for those without imagination or commitment to excellence
Back to this blog, one Chris Haynes posted a comment to the aforementioned entry where he says "how about security being a business enabler and shifting (not necessarily reducing) security funding to activities that produce high-value information; that enables better operational decision making as well as IT funding decisions?"
Great advice, Chris. That's the sort of approach we should be thinking about.
