Adjusting to Budget Shortfalls in Hard Economic Times
That fact that the US as well as much of the rest of the world is undergoing a recession is hardly a secret. This recession has had a great impact upon organizational budgets, often resulting in deep spending cuts. Not surprisingly, information security practices have not been spared from such cuts; security control-related projects that were to be initiated this calendar year have increasingly been put on hold, and reductions in the number of information security staff have been commonplace.
Given the dependence on availability of personnel and financial resources that information security practices have, the potential negative impact of reducing the level of resources is potentially severe. What can security practices do to attempt to provide the needed level of business process assurance and data protection despite a reduction in resources?
During times of budget reductions, the first thing an information security manager needs to do is to undergo a major shift in attitude. Prior to budget cuts, an information security practice may have been moving forward with multiple initiatives as well as well-defined and executed operations. After budget cuts, especially if the cuts are severe, a security manager needs to realize that the practice is now more or less in a holding pattern, so to speak. The practice must now pay attention to and deliver the bare essentials—just enough to get by—even if security risk can no longer be managed to a level the senior management deems acceptable. Being in this situation is not by any means easy, and the difficulty of adjusting to it is exacerbated by the fact that virtually all books, manuals and other published information concerning information security management presume that an information security practice will have sufficient resources to be able to launch numerous control initiatives that mitigate various types of risk. To the best of my knowledge, none of these resources covers how to survive under adverse conditions, such as when severe budget cuts have occurred.
In the absence of such guidance, I’ve taken the liberty of brainstorming potential ways of dealing with severely reduced levels of resources. My suggestions include:
- Assess and communicate the impact of cutbacks upon the level of unmitigated security risk. First and foremost, never blindside senior management and critical stakeholders. If cutbacks result in inability to mitigate risks that were to be addressed by security initiatives, both of these critical entities need at a minimum to be advised of the probable negative impact on business and/or operational processes.
- Re-evaluate the priority of each security initiative and drop or postpone those that are least critical. Information security involves assessing risks and mitigating them according to priorities. If resources become scarce, the lowest priority initiatives need to be dropped.
- Slow multi-phase projects. Some risk mitigation projects can be slowed to lower the resource “burn rate.” The acceptable level of residual risk after each stage is completed may have to be redefined. Senior management should, of course, have the final say concerning the level of risk that is acceptable as well as which stages of which projects should be slowed down to conserve resources.
- Attempt to achieve maximum convergence with other, similar organizational functions. Many information security functions overlap with other organizational functions such as risk management, audit and physical security. When resources become scare, turning to such functions to determine whether they can perform tasks or parts of tasks that would normally be performed by the information security function is an excellent way to accomplish at least some goals in the face of resource shortages.
- Where cutbacks in labor are involved, strongly consider using third-party provider services to a greater extent. Third-party provider services are by no means any kind of “magic bullet,” but when labor costs must be reduced, these services often provide a good means of doing so. This is especially true when positions (e.g., security architect, compliance specialist, and so on) within a security staff are indispensable, but sufficient funding for full-time work for each is not available.
Having a shortfall of resources is nothing new for information security practices, but what has been happening recently is far more severe than any previous time that I can remember. The challenge is formable; the good news is that the information security arena has an abundance of outstanding professionals who can and in all likelihood will rise to this challenge.