Surviving an IT Budget Squeeze

Pick up any publication today and you can't miss an article that predicts grim economic conditions for the foreseeable future. Countless articles focus on governments making futile and often misguided attempts to stabilize energy costs to food shortages and ripple effects of the weakening currencies.

Interestingly, IT security hasn't touched on the topic even though global economies will have a significant impact on the operational arm and all the way to the business side of the security sector.

Goodbye budgets

A surge of open source platforms have found their way into NOCs all over the world.

If you're a vendor, I'm sure you've heard, "I'm sorry we just don't have the funding..." and if you're the customer, I'm sure you've uttered this more times than you care to recall.

Meanwhile, the threat landscape continues to grow in complexity while regulatory compliance requirements continue to put tremendous pressure on organizations to re-architect their entire IT infrastructure.

If you haven't read the writing on the wall by now, let me be frank - we're approaching a breaking point. As the negative impacts of the depressed global economy mount, organizations are going to be forced to innovate. This means that you're going to have to meet your security needs without the lifeblood of budget dollars, while also considering a new gold rush of threats.

Virtualization makes the old new again

Many organizations have hardware renewal cycles, often times this is based on SLD (straight line depreciation) over the course of 5 years. The problem now is that there is no money to restart the cycle.

Network engineers are now forced to reuse old equipment as part of virtualization. Using 10 old servers to create one virtual system saves money, and provides no hard costs on resources, but be sure that you perform proper risk assessments. Virtualization certainly reduces costs and makes life easier for administrators. However, it complicates the security stance and the organization's need to meet regulatory compliance initiatives.

Open source is now viable

A surge of open source platforms have found their way into NOCs all over the world. With free distros such as CentOS competing with RedHat Enterprise Linux, organizations now have the potential to roll out extremely stable and secure environments. The trade off here is that support isn't offered so you better not fire all of your senior security staff.

Now that Ubuntu and similar distros are actually stable and friendly enough for desktop use, you may see some leading edge organizations deploying them. Several well known retailers have already done so in order to save money on licensing.

House cleaning, justified

Over the years, many organizations have accumulated tons of point solutions in hopes of "plug and playing" away all the audit findings. We've all learned that not only did this not happen, we've added complexities and costs since every system is potentially part of a regulatory compliance initiative. Managers are going to continue to approach security professionals looking for ways to trim down unnecessary technology that is currently supporting core business processes.

Organizations will save large amounts of capital by not only streamlining business processes but also removing hefty annual maintenance fees.

Be ready when they come knocking

As a security professional, you should be well versed in the world of corporate finance. This way, you won't be surprised when a suit shows up at your door looking for your feedback on how to trim 20% (or more) of your costs. It is key to your survival to be able to speak his/her language because if you don't you may suddenly be an attractive part of the cost reduction process.

If you don't already know how, learn to place fixed dollar amounts on all things operational security. As an added bonus, if you can provide the money folks with a cost/benefit analysis of everything your security team does, you will able to provide additional value to the organization, hence, you may survive longer than others who can't do this.

These are the obvious things that are going to happen but what about the things that most folks aren't expecting?

As the cost of virtually everything rises, a multitude of new targets are going to spawn. Cyber criminals operate in the very same way that legitimate prospectors do in that they are always looking for new opportunities to acquire wealth. What once was never a consideration for security may be tomorrow's new hot threat vector.

For example, the price of gasoline has recently surpassed $4 dollars a gallon in the U.S. Gas stations never had to pay much attention to vehicles with trailers at their pumps. Today, thieves are rolling around with high capacity pumps inside landscaping trailers so that they can drain fuel from the gas station's own tanks in the ground. The risk now justifies the reward.

Translate this to your role in the enterprise. How many physical locations are not adequately protecting assets that have significantly increased in price and value?

A network security engineer who is stationed at a Government facility has this to say, "We've spent millions of dollars on tire spike systems and other physical controls at our fueling depots in order to reduce the risk of theft. What's really frustrating is that fuel thieves can back up a tanker to our emergency operations center and drain all the diesel fuel from the fuel tanks that feed our backup generators without so much as being seen.

The fuel tanks are positioned far enough away from the center (and camouflaged) so that in the event of an explosion, the center would not suffer damage. The woods provide perfect cover for those who are interested in stealing the fuel. The design was completed when diesel fuel was 93 cents a gallon and theft was not considered a threat. Today, we are considering placing a guard station in the woods."

It's situations like this that will be gracing the news headlines in the near future. Analyzing your current security stance in the shadow of global economic pain is something that needs to be done and very quickly. The real talent is going to be providing a secure environment in the face of new threats with budgets that harks back from the days when IT security wasn't considered worthwhile.

This article was first published on EnterpriseITPlanet.com.