At a time when companies are trimming overall spending for IT, expenditures on security projects seem less likely to get cut than other technology initiatives, users and analysts said.
But there's going to be growing pressure on managers to demonstrate measurable returns on investment to justify new security projects, they said on the eve of next week's RSA Conference 2001 trade show in San Francisco.
"Security will withstand the slowdown better than most [other IT areas]," said Sean Jackson, a financial analyst at Suntrust Equitable Securities Corp. in Nashville. "Hacker attacks are on the rise, and more companies are relying on the IT infrastructure for their core operations.
"While many organizations in the past year have overinvested in equipment such as PCs, routers and servers, they have underinvested in the security of their IT infrastructure and are just now playing catch-up," Jackson said.
There are other reasons. Take TRW Inc., the US$17 billion manufacturing giant in Cleveland. Despite a modest slowdown in other areas of IT spending, the company is going full speed ahead with a major project to deploy a digital certificate network for authenticating employees and business partners who log on to its network, said CIO Mostafa Mehrabani.
"As companies grow to be more collaborative in dealing with customers and suppliers, the role of information security becomes even more critical from the context of authentication and access control," he said.
The key is to show business value when launching security projects and to constantly look for ways to trim costs. That applies not just to security, but to other areas as well, Mehrabani added.
For example, TRW is consolidating several of its data centers, reducing the number of service providers to which it outsources and standardizing technologies wherever possible, he said.
Sean Nolan, chief technical officer at Drugstore.com Inc., an online retailer in Bellevue, Wash., said his company saves money by trying to design systems that are secure to begin with.
"A key part of our development process is to think about security upfront and make sure that the features and systems we build are in good shape the first time around," Nolan said. "That saves a great deal of time and money in not having to go back and revisit bad decisions with new fix-it-up projects."
Companies looking to save money shouldn't skimp on security, he warned.
"While we're certainly looking for ways to conserve cash, it would frankly be suicidal for us to skimp or delay projects intended to ensure the safety of our data," said Nolan.
Josh Turiel, network manager at Holyoke Mutual Insurance Co. in Salem, Mass., said he agreed: "If there [were] a way to cut costs without compromising security or service, I would do so," he said.
In fact, Holyoke plans to spend less on workstations and desktop technologies this year, partly because it purchases those items on a three-year life cycle. But the company is likely to spend almost double what it spent last year beefing up enterprise security, Turiel said.
"I would rather spend more on security, because the cost of a single breach is a heck of a lot more than all the money I can throw at the problem," he said.
"We are not cutting IT budgets because of the slowdown," said Rob McGhie, a member of the IT security and policy team at Raytheon Corp.'s facility in Garland, Texas.
"All the projects here must demonstrate a measurable ROI at any time," he said. "However, as a defense contractor, security here is not treated as an affordable or nonaffordable luxury, but as a requirement."