Security budgets in a downturn

When times are tough, business survival has to take precedence over security considerations. This logic suggests that security budgets will be severely squeezed in a major downturn. But is this really the case? Companies are downsizing, but many security functions and budgets have managed to survive the last six months relatively unscathed. How long can this trend last? And what will be the impact on security vendors?

The answers to these questions are more complex than we might imagine. There are several contradictory trends at play, some that boost security spending as well others that reduce it. Smart security functions should conduct an analysis of the threats and opportunities for their budget. Paul Dorey, former CISO for BP, has an excellent methodology for assessing the impact of the opportunities associated with the current downturn. It shows, amongst other things, that we can expect a combination of more and less demand for particular security services.

The most important trend is the simple fact that security continues to grow in significance, both in terms of risks as well as prominence on the Executive Board agenda. Fear of major incidents coupled with growing compliance demands should ensure that cutbacks in security are kept to an absolute minimum. But cancellations of new projects and budget reductions in operational services will also tend to squeeze security budgets.

Fortunately security is better placed to survive cutbacks. For one thing, the security function generally operates with backlog of initiatives. There is always more to be done than current resources allow. Unlike many other IT functions that might become idle when projects are postponed or services cancelled, security functions can always find useful work to do. And a general reduction in development projects can also mean that there is more money available to spend on security projects. No CIO wishes to see a complete decimation of the IT budget. They will support initiatives that remain compelling throughout the downturn.

Less demand for security support for new development projects might also free up existing security resources to launch new security initiatives that have been held up awaiting the availability of key staff to develop the necessary business case. It’s no trivial matter, however, to frame a business case against a background of across-the-board cutbacks in capital expenditure and external consultancy spending. But, whatever transpires, we’ll soon have a good idea of where things are heading. The start of the new financial year will set the tone for the next round of investments and cutbacks. Let’s hope that it’s positive for the security industry.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Hi David, We are a startup that just developed a revolutionary authentication USB key that can be used in any site to secure the login/password authentication. The swekey is the very first low cost authentication solution that is highly secure and user friendly. It has already been integrated in the most famous open source projects: Drupal, Joomla, PhpMyAdmin, phpBB, SMF, CopperMine, Magento, SugarCRM... We are very interested about your feedback, and we are looking for independent reviewers. If you are interested in writing a swekey review, just contact me, I will send a free sample for evaluation. If you need more information feel free to browse our web sites and don't hesitate to ask me directly if you have any question. Regards, Luc
Companies that cut spending on security, particularly on data governance, are all too often gambling with the very data they need to protect. Reducing capital expenditure, on both the staff and technology that manages data governance, often leads to a significant lag time between an employee leaving a company and their email, SharePoint and other key user accounts being terminated. Known as ‘Zombie Accounts’, these active credentials leave organisations exposed to significant risk. Data can be lost, stolen or tampered with while a company’s brand can be irreparably damaged by a data loss or theft. Restructuring a company’s headcount increases the risk of disgruntled ex-employees or opportunistic ‘dustbin raiders’ exploiting Zombie accounts for both financial gain and malicious purposes. Failure to safeguard confidential internal and customer data can expose a company to a multitude of regulatory and legal challenges, particularly if any subsequent investigation finds that reasonable steps were not taken to safeguard such data because spending on and attention to data governance had been reduced. This is not to say that you can’t reduce your expenditure on data governance, many organisations have successfully done done this without compromising governance and compliance, but this has been achieved through considered and planned deployments of technology with efficiency and longer-term cost saving in mind. For this reason, investment in data governance cannot be reduced for short term budget reasons alone. According to the Ponemon Institute, the average total cost of a data breach ranged from £84,000 to almost £3.8 million, with an average of £47 per record compromised. The cost of a data breach for financial services companies is usually 17 percent higher than other business types, at £55 per record compromised. If you think the cost of data governance is expensive, look at the overall cost to a business of a data breach.