Security budgetary constraints look set to continue in 2010 with IT departments expecting only a modest increase...
in IT spending.
Half of the world's largest companies surveyed by Ernst & Young say they are concerned about allocating adequate budget to information security.
As a result, information security professionals are going to have to work smarter to ensure corporate information is secure.
Involving all stakeholders across the business in your security policy is key, says Mark Carter, partner in enterprise risk services at Deloitte.
This ensures that planners get all the necessary requirements and helps IT departments to identify what business processes and data should be prioritised, he says.
A phased approach
Security is best implemented in a phased approach through smaller, more easily manageable projects based on the priorities agreed with the business, says Carter.
Security professionals need to understand where the business wants to go in the longer term, says Karl Havers, EMEA technology practice leader at Ernst & Young.
This will determine what new technologies, such as virtualisation, and business models, such as cloud computing, businesses are likely to require to support the business goals, he says.
"By taking a longer-term view, security professionals will be able to make a more accurate assessment of risk," says Havers.
In turn, this will help identify what technologies and skills will be needed to provide appropriate protection for corporate information in the new IT environment, he says.
Fill security gaps
Organisations should make a thorough assessment of existing security skills and formulate a strategy on how best to fill the security skills gaps if there are any, says Havers.
This kind of information is vital to making informed decisions about which security functions can and should be outsourced or retained in-house, he says.
Offshoring security operations is often the smartest option, says Carter.
"This enables organisations to cut costs by taking advantage of cheaper skills in some parts of the world without giving up any control over information," he says.
But where outsourcing makes most business sense, it is imperative this is done in consultation with IT security professionals, says William Beer, information security director at PricewaterhouseCoopers.
"Business leaders are seldom in a position to ask the right security questions of suppliers, particularly providers of cloud-based services," he says.
In the case of cloud-based computer services, Beer says business and IT leaders should be guided by best security practices set down by organisations such as the Cloud Security Alliance.
Demonstrate business value
Another key element in helping security professionals get investment where it is most needed will be the ability to use metrics to demonstrate business value, says Carter.
"They will have to back up any investment request with hard figures gathered from information security systems and risk assessment tools," he says.
These smarter ways of working will be easier for security professionals in companies where the recession has promoted a closer working relationship with the business, says Havers.
But in others, where economic pressure was so great that cost-cutting measures were applied bluntly where it was "easy" rather than "best", communication and co-operation between the business and IT is likely to have deteriorated, he says.
This means that while all information security will benefit through a better understanding between the business and IT, some companies will have to work much harder at it in the coming months than others.