In the current economic downturn, many companies are cutting costs and security expenses are frequently part of the equation when considering where to save or spend money. New research released Monday by RSA, the security division of EMC, tapped the expertise of ten large companies with dedicated security executives and operations and asked: How can security be managed, and even drive innovation, in the current economic downturn?
CSOs and CISOs from companies such as Cigna, eBay, Motorola and JP Morgan Chase lent their perspective on how to tackle cost challenges and, in some instances, even make the case for security investment when businesses are so weary of spending.
Art Coviello, president of RSA, gave us an overview of the five key points of the research.
Prioritize based on risk/reward
In the current economic climate, some risk may not be worth the investment, according to the research, which advises business to know how to prioritize. Decisions on spending should factor in not only where the greatest risks lie, but also where the greatest opportunities can be found.
The report, titled "Driving Fast and Forward: Managing Information Security for Strategic Advantage in a Tough Economy," also suggests tough judgment calls will be inevitable as organizations figure out which risk must be immediately addressed and those that aren't worth the cost. Coviello pointed to a large bank client as an example. The bank had invested in a customized solution from RSA to reduce fraud, but it was costing $2 million annually to operate with all of what Coviello called "the bells and whistles."
"The question became if it was worth the $2 million dollars in cost for this risk and the answer was no," he said.
The report also suggests shifting focus from the deployment of the latest security technologies to a converged security approach in the areas where the business is going.
"You'll be much more likely to get funding for your risk management efforts if you can demonstrate that your security controls will address multiple areas of risk at once," the report states. "For example, knowing who has access to what systems can help prevent fraud."
Have the right mix of people on your team
As budgets gets slashed, personnel often get cut, too. Now, more than ever, staffing with the best is essential.
"Having the right people on the core security team is more important than ever because you'll have to rely on them even more," the report states. "Members of the core security team need to have a risk/reward frame of mind and an exceptional set of skills"
Coviello also suggest repurposing people to avoid layoffs and to strategize more efficiently. That was the case recently at RSA when security incident and event manager systems allowed more automation of events. Staff that was previously in charge of tasks now automated got reassigned.
"We didn't lay those people off. Instead of growing our cost base 25 percent we were able to keep it flat," said Coviello.