The Impact of the Downturn on Security

This is a question I often get asked: What is the impact of the economic downturn on security? I am convinced that three things will happen:

  1. Cybercrime will grow
  2. Security budgets will shrink – it is just open whether the budgets will shrink at the same pace as IT budgets or faster but I am convinced that companies need to safe money there as well
  3. Regulations will increase and so will the requirements for compliance

So, to me compliance is the key theme for the next few years. Additionally companies will have to move away from the “best of breed” to the *"best of need” as budgets get tighter. Last but definitely not least, in order to address the compliance needs, you will have to go for an integrated solution of your products. There is no way you will be able to address the challenges with point solutions (and I guess I do not have to say here that we are best suited to help you with the best of need integrated platform).

The actual reason why I write this post is two-fold: I had the honor this week to hold a keynote to open the CoE – OAS/CICTE Conference on Terrorism and Cyber Security in Madrid. I had to opportunity to talk to some journalists as well during the conference and one of the articles covers point 1 form above (the raising Cybercrime challenge): Economic crisis tempts tech experts into cyber crime. And then I stumbled across an article called Fired Employees Can Still Access Co Systems, Survey Finds. So, if you bring those two challenges together, you can easily derive what you have to do – things which are not new but more important (and sometimes urgent) than ever:

  • Get your processes in order. Processes covering Risk Management, Identity Management (a key process from my point of view), Change Management, Configuration Management, Update (including Patch) Management. These processes are essential for the cost-effective and secure operations of your network!
  • Accept that the Internet is your network. There is no such thing like “our internal network is trusted”. Your network cannot be trusted for different reasons and a lot of your endpoints (e.g. notebooks, handhelds) are not within your perimeter as they travel.

To me, those are the key starting points: Address your Patch Management, Identity Management and enforce policy compliance on your network with technologies like Domain Isolation using IPSec and Network Access Protection.

Roger