E-BUSINESS SPECIAL REPORT
Finding the Security Budget Sweet Spot

Allocating precious budget dollars is always a challenge in a down economy, and with security threats seeming to loom at every turn, chief information officers are struggling mightily to gauge risks and decide how to counter them.

This is far from a black-and-white issue. In a Morgan Stanley survey of 225 CIOs, security software ranked second behind integration as their top priority. But Eric Hemmendinger, research director for security and privacy at Aberdeen Group, told the E-Commerce Times that companies "are not doing as much as they could be doing" for a variety of reasons.

According to Aberdeen, although deep cuts in budgets and personnel have left many companies operating on a shoestring, there is some evidence that IT spending will rise slightly this year, meaning more budget dollars will be available. A survey conducted by the research firm showed IT managers expected a 1.4 percent decrease in spending last year but believed spending would increase by 3.7 percent in the last half of 2002.

Not Enough Protection

However, even if management shakes loose some extra dollars, it is doubtful that any company will be able to purchase sufficient security products to protect its network from all of the myriad threats plaguing the Internet. And the number of threats is rising. Patrice Rapalus, director of the Computer Security Institute, told the E-Commerce Times that in the Computer Crime and Security Survey for 2002, 74 percent of respondents reported vandalism at their Web site, up from 60 percent the year before.

Moreover, 90 percent of the 502 participants in the survey, which is conducted by the Institute with the participation of the San Francisco FBI Computer Intrusion Squad, said their companies had security breaches last year.

In part, that is because companies are opening up their "borders" as never before -- to suppliers, business partners and customers -- in an attempt to stimulate and streamline their e-commerce strategies.

Striking a Balance

But not every security breach represents a real threat to every enterprise, and relatively few are reported and investigated. Moreover, not all products work as advertised. While the temptation may be to throw money at a security problem in a knee-jerk reaction to perceived risks, decision makers instead should determine how to allocate resources by considering the threats, the motivation behind them and the true risk to their company -- as well as the capabilities of security solutions and their relative cost. In other words, executives must perform a delicate balancing act.

It is also important to recognize that not all serious breaches involve the theft of money; rather, incidents can run the gamut of transgressions, according to Rapalus. Companies must first determine which threats they are vulnerable to, then figure out how much damage a breach could inflict. "It is all about risk," she said.

Once risk is properly gauged, companies must sift through the abundance of technology on the market. One way to save money is to rely on security mechanisms that already exist in many applications and networking products. Indeed, companies increasingly are turning to "security already incorporated into vendor solutions," Patrick Wheeler, a product manager at Internet Security Systems, told the E-Commerce Times.

Match Making

Frugal companies also should ensure that the technology they buy will actually resolve perceived problems. This means they must look closely at so-called security products, evaluating what they are supposed to do, what they actually can do, and where their weaknesses lie before expending budget dollars.

Experts urged companies not to stop short and leave holes in their security schemes. For example, it is a waste of money and effort to secure a corporate wireless network by detecting and eliminating unauthorized access if a door is left open via employees' home wireless networks.

Let Someone Else Do It

Many companies are finding some financial relief by outsourcing security rather than building an internal strategy. While many feel that they might lose control over their operations, it is often cheaper to turn to a third party, such as Internet Security Systems or RipTech. For a few thousand dollars per month, companies can purchase round-the-clock monitoring and troubleshooting without paying US$1 million for a small team of security specialists.

In addition, since security products are constantly evolving, enterprises might benefit from phasing in a security strategy, paying only for what they need, when they need it.

When To Report

Companies also need to determine when they should report security breaches to the authorities. At first blush, immediately reporting an incident seems the prudent thing to do. But investigations can drag on for a long time, expending valuable resources. And many companies feel that reporting breaches may make them seem vulnerable in the eyes of their customers, according to Rapalus.

"Nobody's reporting it," she said, adding that many executives are reluctant to disclose incidents even in confidential surveys.

Hemmendinger concurred, saying that no company wants to publicize illegal transactions or other system compromises. But by reporting breaches, companies can share intelligence with their peers and help ward off future attacks. That, in turn, can save money down the road since prevention is cheaper than repairing damage.

In the end, the security solution that probably takes the smallest bite out of corporate budgets is very simple: Set a security policy, educate employees and then enforce the rules. Catastrophe is never completely unavoidable, but a prudent approach to risk can be a cost-effective way to reduce its likelihood.