Surviving the current downturn means taking out cost from business and information security budget. Here are a few ideas on how to go about it.
Firstly, set out to reduce incident levels. There are real savings to be made from a campaign of targeted awareness. The main obstacles are that the money saved won’t flow into your security budget, and it’s a leap of faith that can’t be guaranteed. But it’s easy to make a business case if you have the right figures. Even if you don’t have historical incident data, you can make some assumptions about incident levels and costs. Take laptop losses for example. In my experience, I’d estimate that typical levels are around 2-3% of laptops are lost a year. You’re probably doing very well if it’s less than 1% a year. And it probably costs several thousand pounds to replace each one. You can make big reductions in the levels of these losses through a root cause analysis and a targeted education drive.
Secondly, aim to move to a variable cost level for managed security services, through outsourcing or Software-as-a-Service products. That means that you can progressively lower your operating costs, as demand drops from fewer projects and shrinking numbers of staff and customers.
And thirdly, streamline processes for governance and compliance. There’s been a huge expansion in this area in recent years. Many of the processes implemented were not the most efficient. This is a good time to adopt better processes and technology.
The problem with all of this is that you have to invest a little in order to realise the subsequent savings. Business has always been that way, of course. It’s just that many corporate security functions have been shielded from commercial realities by being able to draw on a large central budget. Those days are gone. The most important skill of the information security manager is now the art of business case development.