Security isn’t a nice-to-have. It’s a must-have. In this era of corporate governance and accountability, no organisation wants to be explaining why its customers’ data was left in a taxi, on an unencrypted flash drive, for example. Compounding the problem is the fact that security threats increase during tough economic times as employees, and others, try to find ways to get that extra R50 they need to make ends meet.
It’s no surprise then that the companies Brainstorm spoke to indicated that spend is ongoing, despite the recession, and has, according to some, actually increased. Says Synaq technical director David Jacobson: “Managed [security] services spend hasn’t declined. In fact, I would think it’s slightly on the increase. In many circumstances it is more cost-effective for an organisation to go the managed services route rather than do it itself, especially if IT isn’t its core business.”
According to Herbert Kunzmann, Accenture’s Security Practice manager: “Despite the economic downturn, growth continues in the security industry at roughly ten percent, and in some instances the down security turn is actually driving security spending. Security has been much less affected than other IT areas. The focus has shifted in line with CIO agendas to improve effectiveness and consolidation with the goal of cost-cutting. Products still account for roughly two thirds of security spending, with the rest going to services.”
“The general slowdown in IT spend experienced over the last few months has not impacted every field in IT. Spend on security has definitely not been adversely affected. Instead, there has been an increase in overall security spend in the last six months and the market has suddenly become very lucrative,” concurs Comztek channel manager Hilbert Long.
As Jacobson hints, there is an increasing trend to outsource security to third parties that are better equipped and have the expertise to handle current hostile environs. “Effective security costs. It costs in terms of infrastructure, software and skills.
In addition, when budgets are tight, most CIOs would rather be spending time and energy on solutions that make a competitive difference to the organisation rather than on security,” he notes. “[Many companies are opting] for a managed service via the cloud. In this way, the organisation is assured of having a security solution that is always up-to-date at a fixed cost without the need to invest in or maintain infrastructure. In addition, it’s more secure using the cloud to manage security – provided it’s with the right provider.”
That’s a pretty big ‘provided’. Outsourcing security is like handing over the keys to the crown jewels to an outsider. How do providers guarantee that their staff won’t walk away with the goods, as it were?
The providers interviewed by Brainstorm spoke very sincerely about SLAs, staff training, data protection laws and hiring the right people in the first place. This is all good and well until the first embittered employee at a managed services provider walks off with something valuable, at which point all of the above will be proven to be ineffectual.
It boils down to risk, and risk appetite.
Says BT Middle East Africa security practice lead Tareque Choudhury: “If you handle your information security internally, you need to manage your own risk and have a risk team inside. Once you go to an outsourced model, you are transferring that risk and liability to the outsourcer, and a lot depends on your SLA,” he states. BT is one such outsourcer, and it’s naturally punting such services.
“BT predicts that in 2009, risk management will become a more strategic activity that will continue right throughout the next decade, helping business leaders identify and assess the risks of a wide range of potential threats,” Choudhury notes. “The fast-changing and dynamic risk environment in which businesses now operate means that risk management professionals have a key role to play in helping organisations fully understand the uncertainties they face. This move from a defensive and reactive security position to that of intelligent risk management will not only lead to more effective risk management, but will also unlock hidden value and contribute directly to profitability.”
Whether that is true remains to be seen. In the interim, however, the threat landscape is getting more, well, interesting, and pressure to cut budgets will remain. Security spend may be good now but if the recession continues, this could change, while the criminals will only be moving faster, and getting smarter.