Most of the world has been understandably shaken by the turn of events in the financial arena these past few weeks. Whatever the outcome, whenever economic uncertainty arises, information security professionals inevitably ask themselves the question: "Is my organization going to cut security budgets?"
The short answer is, "They shouldn't."
Fortunately, times have changed considerably since the early days of security which is now seen as an essential business requirement such as accounting and legal. It has become a business function that is as important as anything else in a 21st-century organization.
It's true that there may be an initial knee-jerk reaction from the C-suite regarding security budgets; but I believe common sense will prevail in most cases. If someone went to the CFO and said, "I can save us $10,000 this week but in the long term it's going to cost us $300,000 in harm," no CFO in the world would think it was a good idea. That principle applies even more in these times of economic uncertainty.
Also, issues such as governance, risk, and compliance are not optional anymore - they are mandated by the government or other regulatory bodies as well as boards of directors, shareholders, etc. As a consequence, when organizations start looking at ways to more effectively manage the budget, it must take into account that effective security programs keep the organizations running at peak financial performance. Not minding security best practices places any financial gains in serious danger.
That said, security professionals need to be able to reassure management that whatever you're spending is being spent properly and the work is being done as efficiently, effectively and realistically as possible. And you need to make sure your people are at the top of their game when dealing with risk/compliance issues more so now than ever before.
Your organization still needs properly trained employees in order to protect infrastructure. The bad guys don't feel the pinch of a recession - in fact, they are more active because their mindset is that when things get tough, people will let down their guard and focus on other priorities. In addition, common sense says economic downturns tend to create more bad guys, not less. Your organization will not be saving money if it has to rebuild systems or go into emergency operations mode because it didn't use best practices or didn't have people trained properly.
In addition to training, professional organizations such as (ISC)², ISSA, ISF and others provide value during difficult economic times through its peer networking functions, both online and in real-world meet-ups. When security professionals talk to each other, they learn from each other's experience and become more cost effective rather than trying to go it alone. There's a tremendous amount of value in leveraging what others are doing and pooling resources when it comes to professional organizations and security people.
On another topic, I would like to let the readers of the (ISC)² blog know that I have been appointed the first president of the Information Security Forum (ISF). I am looking forward to having ISF work more closely with (ISC)² and other top global security organizations on the pressing issues facing us all as professionals. I will be retaining my position on the (ISC)² board as well as my position as ISSA president. I hope to continue blogging here as well.
