The global economic downturn is making everyone's jobs harder, and IT security executives are in the hot seat, too, struggling to hold onto budgets and align IT security projects with business needs amid cost-cutting.
Ten of these top-level US security managers, including those from eBay, Time Warner, Cigna, Novartis and Motorola, shared their thoughts on coping in a new report titled, "Driving fast and forward: managing information security for strategic advantage in a tough economy."
This report grew out of the Security for Business Innovation Council, an ad-hoc group formed a few years ago by EMC's RSA division to tap the brains of security managers at Fortune 1000 companies.
"I think the days of big budgets, big battalions of security practitioners standing in the overhead cost line are well past," says Bill Boni, corporate vice president, information security and protection at Motorola, in the report.
"Part of the challenge is that the bigger the team becomes, the more challenging it is for leadership to really align with that kind of large cost with large value."
Craig Shumard, chief information security officer (CISO) at Cigna, thinks there are too many security products and a tremendous overlap.
"The security product stack has become unsustainable," he says. "I've challenged every vendor that I've met with recently to help me define the seven or eight products that we need to achieve the same level of security that we have today. We can't continue to operate 15 to 25 (or more) security products.
"I don't believe that we can continue to just add new security products to the environment and expect that we will use them effectively. I keep visualising the Leaning Tower of Pisa. Maybe the security control tower is standing today. I think that if we keep adding products, the tower will fall over and bury the folks trying to manage it."
A lot of it is risk-based decision making, says Dave Cullinane, vice president and CISO at eBay Marketplaces.
"You need to be able to quantify the risks and say, for example, 'We've got a $300 million exposure, and we need to spend $30 million this year getting it down to a reasonable level.' Beyond that, the fear, uncertainty and doubt stuff isn't working anymore. People just aren't buying it. Even if it does raise their concern, it doesn't do anything to loosen their wallets. Because most companies are looking at very tight budgets, so you're going to have to have a very good business case as to why you should get funding."
Andreas Wuchner, head of IT risk management, security and compliance at Novartis, says he doesn't want to have a huge security team but rather have security built into the knowledge of every person working for the company.
"For example, if there is an IT operator on the Unix side, or the Windows side, he has to have some security knowledge," he says. "For us, it wouldn't work to have a huge security work force going out to the organisation saying, 'That's bad, you're doing this wrong, that won't work.' You need to get security built in, into the business processes; into the development of new software ... I don't think there is another way to win this race."