It's always an interesting and worthwhile exercise to begin a new year by pausing and reflecting on the emerging security trends that are likely to blossom in the coming year. Changes in the global economic and business landscape will likely have a significant effect upon the information security industry. Let's take a look at a few predictions specific to network security and how an organisation can be ready for these possibilities.
We'll be asked to do more with less. OK, I admit this one's not rocket science. It shouldn't be a surprise to anyone that the global economy is in tough shape, and we've yet to get even a glimpse of the light at the end of the tunnel. For network security managers that haven't already been asked to reduce the size of their staffs or budgets, now's a good time to start drafting a contingency plan. While the hope is that security budgets will remain intact, security managers would be wise to consider how they would implement a 5%, 10% or even greater budget reduction. This exercise can be beneficial even if a budget isn't reduced, as it shines a spotlight on the less effective ways that financial resources are currently being used. In addition, ponder ways to optimise the use of security staff. If you planned on adding headcount to your organisation in the near future, there's a good chance you'll be asked to back-burner those plans. Are there ways your staff can do more with less? Would any of your staff be willing to move to part-time status if the opportunity arose? Could flexible work arrangements or title changes be used as an alternative to pay increases if budgets are tight this year? Would the use of managed service providers (see below) help to reduce the demands on your staff?
Preserving jobs is always a top priority, and to do so, it may be essential to demonstrate that you've got your eye on the bottom line and are willing to make tough choices for the benefit of the organisation. For example, if you've budgeted an expensive firewall upgrade this year, it's smart to consider whether that upgrade cycle can be extended by 12 months. Moving from a four-year to a five-year hardware replacement cycle is equivalent to a 20% cost savings. If after an analysis it's determined that the upgrade needs to happen now, be prepared to explain to the CIO exactly why the new product should take priority over others being considered.
Several vendors will close their doors or consolidate. The tough economic times won't be limited to those of us on the client side. Our shrinking budgets will cause a ripple effect in the security vendor community, and several vendors currently "on the bubble" may slip off the radar. Those with solid products and/or customer bases may be purchased by larger firms seeking to expand. This is an important trend to keep in the back of your mind if you're lucky enough to be in purchasing mode right now. Buyers may want to think twice before entering into a long-term relationship with a smaller firm that may not survive the year. The loss of a vendor can have a serious effect on network security operations. Depending upon the type of device and its role in the infrastructure, it could severely affect the organisation's security posture. For example, a firewall vendor going out of business is a big deal; if the device malfunctions or fails altogether, support will no longer be available, and this could jeopardise the availability of the entire infrastructure. That said, the failure of an antivirus vendor is a catastrophe; virus definition updates would no longer be available and the effectiveness of the organisation's malware defence system will degrade rapidly. In addition to considering financial stability as a criteria during any vendor selection process, now would be a good time to take stock of the financial status of all current vendors to determine whether you need to re-evaluate those relationships.
We'll continue to witness the rise of managed service providers. Many security services are quickly approaching commodity status, and, amid pressures to minimise headcount, many enterprises have sought to outsource security tasks to the greatest extent possible. I've seen several organisations adopt Software-as-a-Service (SaaS) products, such as the vulnerability-scanning platform from Qualys and the Web vulnerability scanner from WhiteHat Security, as a way to reduce costs. At the same time, vendors who traditionally sold security appliances are shifting to a NOC approach, offering 24x7 monitoring and maintenance for firewalls, intrusion prevention systems and the like. SaaS security tools offer tremendous benefits; enterprises are no longer responsible for maintaining and upgrading the tool itself, and your staff is left working in its core area of expertise: security management. Managed service providers take this a step further and outsource the analysis as well. On the flip side, using any of these services introduces some degree of risk, as confidential information about security posture is being shared with a third party. If you're not already considering using one of these services, put it on your short-term radar screen.
Our mindset will shift from compliance to operations. Whether you like it or not, many of us have spent the last three to five years focused on compliance issues. PCI DSS, Sarbanes Oxley, HIPAA and GLBA are just a few of the laws and regulations that security managers have been tasked with managing or helping with. Now that the industry has focused on compliance for some time, the urgency to comply by and large has lessened to a degree. Expect to see pressure from within the organisation to move your security resources back into a supporting role, providing security consulting support to business initiatives.
I don't mean to paint a "doom and gloom" picture for 2009; the coming 12 months will be full of opportunities to grow and excel. Take the opportunity to streamline the use of both human and financial resources. It's healthy for any organisation to periodically re-evaluate expenses, vendor relationships and business priorities. However, it would be ignorant to stick our heads in the sand and attempt to ignore the state of the economy and the potential impact it will have on our business. Rather, it's important to adopt an opportunistic attitude and prepare for the inevitable changes we'll face. Best wishes for a happy and prosperous 2009!