| Many predict 2008 will produce the tightest economic | | | | be an evolving area, and another source may be |
| conditions since the dot-com bust at the beginning of | | | | what you can learn from your personal relationships. |
| the decade. The subprime meltdown and the | | | | Seek out others within your industry and find out |
| tightening credit markets will mean most CIOs will | | | | what metrics they are using and what they are |
| feel the downward spiral of the economy right | | | | spending as a percentage of their IT budget and. |
| where it hurts -- in their IT budgets. | | | | Risk tolerance is specific to each organization, but |
| Unfortunately, this also coincides with the most | | | | there are similarities within industries that could prove |
| serious threat environment security professionals | | | | to be helpful. |
| have faced. Hacker's tactics are becoming more | | | | 3. Learn from other areas in your company. Many |
| targeted. The increase in the number and business | | | | process-oriented disciplines can be a good area as a |
| importance of web applications is generating additional | | | | proxy for the type of evolution facing security -- |
| enterprise risk. Budgets may get tight, but your | | | | network operations can be a good example. In the |
| responsibility remains the same: minimize risk. | | | | early days of network operations, the only scrutiny |
| It's a tall order in the face of possible spending | | | | came if things weren't working correctly. Over years |
| cutbacks, but because budgets are tight you have to | | | | it has matured to a level of operational metrics for |
| be focused on how to best reduce risk and it | | | | uptime and performance, and is embedded in |
| definitely doesn't mean less attention on security. In | | | | quarterly and annual performance goals. These |
| fact, at times like these that may be the biggest | | | | metrics allow a continuous cycle of performance, |
| mistake. The highest levels of an organization are | | | | measurement and improvement. In addition, network |
| asking their CIOs "how do we know we're secure?" | | | | operations can provide an important lesson of single |
| The only way you will know that is by understanding | | | | solution economies of scale. Find solutions that work |
| the risks, better understanding the ROI, and how it | | | | across your entire enterprise-this is the only way to |
| fits into not only your other IT priorities but also | | | | get economies of scale in implementation and ensure |
| adds to the company's bottom line. Defending the | | | | you get the critical enterprise-wide risk information |
| security budget is always a challenge, but here are | | | | that can deliver the metrics you need. |
| four approaches that can help. | | | | 4. Take steps to automate your compliance process. |
| | | | Are you compliant and can you routinely deliver the |
| 1. Metrics make the most compelling argument. Ask | | | | reports that auditors request? The economic benefits |
| yourself this question: Is your security risk going up | | | | that come from doing this correctly are significant. |
| or down over time and what is impacting it? This is | | | | Audit costs are directly related to how complicated it |
| baseline data that every organization needs and | | | | is to audit and prove the integrity of a business |
| should be on track to monitor. If you cannot answer | | | | process, so finding a way to save the auditors' time |
| this clearly, realign your projects and priorities to | | | | is one of the single biggest opportunities to drive |
| make sure you can get this information on an | | | | down costs. Even though your audit costs may be |
| ongoing basis. Every CIO should know at least three | | | | hitting the finance area's budget, meet with your |
| things: how vulnerable are my systems, how safely | | | | company's finance team to understand what audits |
| configured are my systems, and are we prioritizing | | | | are costing you, and how the right kind of |
| the security of the highest value assets to the | | | | automation could lessen them and there will certainly |
| business? Though security metrics are in the early | | | | be time and resource savings for the security team |
| days of development and adoption, the industry is | | | | as well. There isn't an exact recipe for compliance |
| maturing and solid measurements are available. These | | | | automation, so talk your auditors, look at your |
| areas can be assessed and assigned an objective | | | | environment, and begin the discovery of how much |
| numeric score, allowing you to set your company's | | | | time is spent preparing for and reacting to audits. If |
| own risk tolerance and use that to make critical | | | | you're a company that allows your divisions to |
| decisions about where to allocate funds. As you face | | | | individually automate, it's time to think about taking |
| increased budget scrutiny, the metrics allow you to | | | | those principles enterprise-wide. |
| identify - and defend as necessary-- where your | | | | Regardless of budget conditions, you will still be faced |
| security priorities are, and how security and risk fit | | | | with decisions on which projects have the biggest |
| into overall ROI. | | | | impact on the business. The threat environment |
| 2. Compare your baseline to others in your industry. | | | | requires that you make the absolute best decisions |
| The guarded nature of security data means CIOs | | | | with your available budget by investing in the right |
| trying to access this type of information will have to | | | | places and getting better use of your resources. |
| get creative. A good place to start is the Center for | | | | Lastly, remember that times of difficulty are often |
| Internet Security -- their consensus baseline | | | | the times of opportunity. Lessons learned now in the |
| configurations can be used as a jumping off point to | | | | face of tighter budgets can spark valuable models of |
| identify areas of risk. Vertical industry benchmarks will | | | | efficiency and progress for the future. |