AnalysisEven in tough times, IT security should not be short changed

Published 22 December 2008

In tough economic times, IT managers — as do other managers — look for ways to cut costs and expenses; they should realize, though, that in tough economic times IT security may become even more important than during more normal times

To spend or not to spend? Maitland Hyslop, COO of Onyx Group, writes that in tough economic times, this is a question facing most directors even more as pressures to cut costs and reduce overheads increase. IT departments are not immune to the current crisis and in many cases have been cut back to only the core services which are viewed as essential for maintaining competitiveness. New projects and upgrades have come under scrutiny and put on hold. “Is now the time to be investing in data security?” Hyslop asks. he says the answer is threefold.

The first consideration has got to be risk assessment. “We are living in a far more risky economic climate, in which long-standing, trusted institutions that previously boasted apparently sound business models have fallen victim to the sinister forces of the credit crunch.” Each day we see reports of new victims; the pages of newspapers are littered with differing predictions about what the future brings. The truth is that we cannot really know. It is still unclear how wide the repercussions of the banking crisis are likely to be and for how long its effects are likely to be felt.

With increased economic risk comes increased competition. Businesses are having to offer more and at better prices, while continuing to maintain a high standard of quality, in order to remain in the black. “As more services go online it is paramount that the technology supporting them is secure and resilient. Consumers’ trust has been damaged and remains fragile, but there are real rewards to be reaped by those who successfully position themselves as reliable, credible operators who build their strategies around longevity,” he writes. Woe betide those who find themselves suffering a reputation crisis in such a sensitive period.

The second consideration to be taken into account is that accompanying the credit crunch is a whole range of tangible new threats to data security. Mergers, takeovers, and redundancies all further complicate an already complex area. “Previously strong security measures are frequently pulled apart when businesses merge together and it can take considerable time, a resource which is already in short supply in the risky economic climate, to fix the subsequent holes in security infrastructure,” Hyslop writes. Two high profile financial institutions in the process of merging at the time of writing are facing particular difficulties as one handles security issues in-house, while the other outsources. Overall responsibility and accountability for the security of customer data needs to be established, and quickly, for the merged business to continue trading, but pressures across the two businesses can pull staff in other directions.

This is further complicated by the increase in home-working and remote access to confidential data. Conversely, staff may use their personal technologies in the workplace. “Such practices mean that it is harder to draw the line between the private and public sector and security breaches on a private PC or laptop can soon become a corporate matter,” Hyslop asserts. What may initially appear to be an inconvenience for a single employee may actually have implications for the entire business.

Third, efficient and effective use of IT can be the very attribute which puts a business ahead of its competitors. “By outsourcing responsibility for security issues staff can concentrate their efforts on the core business and driving forward new and improved services.” A recent survey by the Management and Consultancies Association (MCA) and the British Bankers’ Association (BBA) found that over 90 percent of U.K. companies already outsource part of their business in order to cut costs, but many still do not know how to get the most out of outsourcing. “While cost-cutting should not be the primary driver of IT strategy, any opportunity to reduce risk and further secure information should be grasped in the current climate,” Hyslop concludes.