Leslie Lambert, vice president and chief information security officer at Sun Microsystems Inc., returned from a three-week business trip to India with a few souvenirs and a whole new set of IT security priorities for 2009.
India is home to 29 of Sun's 250 managed services providers. Economic troubles there have made it harder for those providers to build out their data centers, so they're procuring services from other providers around the globe.
"I'm going to be shifting focus," Lambert says. In 2009, projects like server security, metrics, application security and Web security will likely take a back seat to new data-protection measures and deeper enhancement of user-access and identity management systems. "Those are the big hitters now," she adds. In a steadier economy, all of the projects would likely have gone ahead, she says.
Indeed, security remains a top priority for all companies -- with antivirus, encryption and identity management topping the list for Computerworld's Forecast survey respondents. But with economic uncertainty overshadowing most IT budgets, managers will have to pick and choose the projects that are most important.
The U.S. Tennis Association (USTA) is a prime example. The organization generates 85% of its revenue in just two weeks in late summer during the U.S. Open tennis tournament, and with so much riding on one event, the IT staff can't afford any security snafus. So when CIO Larry Bonfante decided the USTA would need to upgrade its network access control system to protect the network from contaminants brought in by 800 media members using its Web site, the project got a green light, despite a flat budget.
"Anything that can impact revenue, the fan or customer experience, or the game of tennis is considered business-critical," Bonfante says. Still, "all projects are certainly under significant scrutiny to make sure there's a tangible return on investment before we get funding for them. Security projects are no different in that regard."
Law firm Nexsen Pruet LLC plans to overhaul its intranet in 2009. Among other things, the upgrade will enable the system to grant users access to financials and reports according to their security levels. Despite the tough economy, the project will move forward, but at a slower pace than originally planned. "Increasing overall organizational efficiency and productivity sometimes means increasing spending for technology infrastructure and key applications," says Technology Director John E.C. Davis.
Keeping your guard up
Projects that "keep the bad guys out" are usually the most recession-proof, says John Pescatore, an analyst at Gartner Inc. But spending for projects that "let the good guys in" is often tied to business cycles.
"If there's a new business project to open up new services and products, there's a lot of security spending in identity and access management," says Pescatore. "But in 2009, that's probably the area we'll see get hit," creating a growing potential for security leaks.
Worst-case scenario: Companies could stop allowing employees to use their home PCs, laptops or iPhones for business use if identity and access management systems aren't in place. But Pescatore says that's not likely, again because of the economy.
"Some will reverse the privilege," most likely in government and financial sectors, he says. "But the majority of companies may say, 'If you use your home PC, we don't have to buy you one, and that will save us money.'" Some businesses might even consider letting workers use their own software, such as Google Apps.