What can you afford NOT to do on IT security?

There may be some security projects you can put off because of the recession -- without risking your company's data or reputation.

1 2 Page 2
Page 2 of 2

Whittling away at risk management and compliance oversight functions is another bad idea, said the chief privacy officer (CPO) at a large financial services firm. That could leave companies facing potentially serious consequences for not complying with security requirements, he said.

What to Cut

But there are other areas in which IT and security managers may be able ease up on spending. Kirby said that although intrusion-detection systems are a must-have item, many companies can live without intrusion-prevention tools, which are more sophisticated but also more expensive and harder to manage. He added that biometric security projects can often be postponed.

Paring back on third-party security education and training programs can also yield some extra dollars that can be used for other purposes, said the CPO, who asked not to be identified. "Companies have a lot of vendor-hosted or vendor-provided education programs -- kind of, 'Here's how you do data security if you're covered by HIPAA or by PCI,' " he said. According to the CPO, the cost of individual programs can sometimes top $200,000 annually, depending on the number of employees being trained.

Marcin Czabanski, director of IT at LifeSecure Insurance Co. in Brighton, Mich., said companies should also look for ways to move applications -- and their security functions -- into the computing clouds offered by vendors such as Google, Microsoft and Amazon.com.

By doing so, Czabanski said, "you can outsource a lot of the headache" of managing and securing desktop applications -- and do so for less money than keeping the work in-house.

E-mail is another application that can move to the cloud. The Henssler Financial Group in Kennesaw, Ga., is a user of Google's Postini e-mail security and archiving services. Tim O'Pry, Henssler's chief technology officer, said the arrangement has enabled the financial services firm to offload to Google the hassle and expense of securing its e-mail system.

In addition, using the hosted services has "dramatically" reduced Henssler's e-mail archiving costs while making it easier for employees to search for and retrieve old messages, O'Pry said.

Moving e-mail to a cloud infrastructure such as Google's can also help organizations lower the costs of complying with e-discovery rules in legal cases, said David Jordan, chief information security officer for Virginia's Arlington County.

For instance, Google earlier this year launched a Postini service called Message Discovery that is designed to help businesses comply with e-mail retention regulations and speed up the process of retrieving messages in response to lawsuits or other legal matters. Such setups can also help customers trim their e-mail hardware, software, management and security costs, Jordan said.

Another possible cost-saving option, he noted, is deploying virtualization and thin-client technologies that let employees access a set of centralized applications. Jordan said he thinks that thin-client architectures are inherently more secure -- and thus less costly to manage and control -- than traditional client/server computing models.

Any cutbacks should be carefully weighed, though.

Phil Hochmuth, an analyst at Yankee Group Research Inc., said it's understandable that companies might want to rein in their security spending (see related story, at left). But on a longer-term basis, "it would probably be a mistake if they backed off strategic initiatives" just to cut costs now, Hochmuth said.

O'Pry agreed. "Trying to scrimp and save on security in this economy would be a penny-wise, pound-foolish thing to do," he said. O'Pry noted that as a financial services firm, Henssler is "affected more than anyone else" by the downturn. Even so, there's little talk within the company about cutting security spending. "Your most valuable nontangible asset is your reputation," O'Pry said. "You can't risk taking any hits to that."

Copyright © 2008 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon