Putting a Price on Security

By Brian Prince  |  Posted 2009-01-27

Putting a Price on Security

As the economy takes body blow after body blow, companies are struggling to do more with less. When it comes to security, however, the cost of not doing enough can be immeasurable.

So, just how low can companies go?

For many companies, slashed budgets have forced a reassessment of priorities as well as some creative negotiating with vendors. But the question of how to save a buck without sacrificing security has some IT professionals both scratching and shaking their heads.

Mike Miller, director of IS at Media General, did the latter. Miller wanted to replace some of the 3-year-old monitoring and event correlation systems the company uses, but, with the capital portion of his budget dropping by about 50 percent, he will be unable to do so.

"We're running on older stuff for a little bit longer," he told eWEEK.

On the plus side, Media General's operational budget has remained steady, and, as of mid-January, the company's IT security staff has not been cut.

In the five years Miller has served in his position, the business's concerns have shifted from regulatory compliance to malware and phishing. With the economy being what it is, Miller said, there are no plans for any major implementations of new technology. These days, the company is more focused on making incremental improvements instead of broad new deployments.

Miller's story is not unique. Still, analysts say, overall security budgets have not been hit hard-yet.

"In the fourth quarter of 2008, we did not see security spending plans derailed, nor in the first two weeks of 2009," said Gartner analyst John Pescatore. "However, I think the first quarter will be tough-the natural tendency will be to delay spending to see if things get better in 2Q. Upgrading firewalls or IPS [intrusion prevention systems], for example, can usually be delayed a few months with no major impact."

A survey by Gartner put security at No. 8 on a list of the top 10 technology priorities for CIOs. Business intelligence was ranked first.

Other studies show that security occupies a larger segment of IT budgets than in past years. For example, according to a Forrester Research report titled "The State of Enterprise IT Security 2008 to 2009," security has gone from 7.2 percent of enterprise IT budgets in 2007 to 12.6 percent in 2009.

The study surveyed 942 North American and European companies of different sizes. The report lists data security as the top concern among IT security groups, with 68 percent citing it as "very important." Fifty-one percent cited business continuity and disaster recovery as "very important."

The very largest companies tend to spend the most on IT security-measured as a percentage of their IT budgets, noted Forrester analyst Jonathan Penn. These companies also tend to spend relatively heavily on staff, as a percentage of their IT security budgets. To compensate, they are slowing down or deferring security technology upgrades, said Penn.

"There are certainly companies whose IT security budgets are shrinking, and many companies face an extremely difficult climate for capital expenditures, delaying the rollout of new products," Penn said. "Overall, IT budgets are slowing but not declining. Across both SMBs [small and midsize businesses] and the enterprise, IT security budgets are gaining a greater share of the overall IT budget. In other words, IT security is slowing less than IT in general."

Taking Creative Measures for Security


By some measures, George Lee is one of the lucky ones. Lee is director of IT at The Leading Hotels of the World, a hospitality organization that represents more than 450 hotels, resorts and spas across the globe.

Like that of some other IT leaders, his budget has seen cuts, with training and travel being the first to go. However, the organization was able to fit in a major revamp of its network infrastructure in 2008, putting in Cisco Systems firewalls, switches and other upgrades.

The move was precipitated by plans to bring the organization's financial accounting operations in-house.

"I was very lucky I was able to put [the security systems in] in 2008," said Lee. "If I were confronted with that same issue, I would do my very best to make sure that the company was protected, or get the funds to make sure the data is safe from the outside world."

Yuval Ben-Itzhak, CTO of security provider Finjan, said he expects to see IT professionals watching every dollar.

"CIOs will look for more value for every dollar they will spend," Ben-Itzhak said. "They will look for simpler solutions that are easier to manage while having less people on their staff."

Indeed, tough times often call for creative measures, according to Scott Ksander, chief information security officer for Purdue University.

"We've been very successful at having some strategic partnerships with vendors, and focusing in on what we wanted to do," Ksander said.

A case in point is the negotiation with Q1 Labs to pull off a log management project the university was planning. According to Ksander, the university generates somewhere between 10GB and 12GB of logs a day-compressed-and that necessitates having the right tools in place to correlate and organize log data.

"We have a very dispersed set of systems, and when we do incident response work, we need a lot of log data," he explained. "As various parts of the university are trying to cut back, they're either not hanging on to the log data, or they don't care about it or it's not their primary focus. ... So we put in place an initiative we wanted to do this year, which basically said, 'You don't want to keep it, give it to us.'"

After putting the project out for bid and receiving responses that were over budget, the university staff sat down with Q1 Labs to come up with a way to make things work.

"It turns out we ended up doing some development work with the vendor, and they gave us some quid pro quo for that, and we were able to pull this off with the money we had," said Ksander. "I really don't want to cite a specific number on the savings because that really doesn't compare apples to apples. Where we ended up isn't exactly where [we] started on either side. I would characterize the savings as very significant, however."

The contract negotiation process started in early November and concluded very early in January, he said, adding that work with the product will continue after delivery.

Said Ksander, "It was absolutely worth it." 

Rocket Fuel