CFOs are treating security as a cost item to be controlled--and in some cases, even eliminated. That's the buzz at the recent CeBit trade show.
Despite IT managers wanting to spend more on security, CFOs are putting the brakes on such spending. The latest thinking, apparently, is that the terrorist activity was more than a quarter ago, so it's history. In other words, CFOs are seeing all those security costs on the balance sheet--yet they're not seeing any security problems. (The fact that increased security is heading off problems is lost on them.)
This doesn't surprise me. I've been hearing similar sentiments from people in the US. Outside the IT community, it seems that security is either a business impediment or an unnecessary cost. As a result, CIOs and network managers are under constant pressure to do less, as a way to save money and reduce inconvenience.
Unfortunately, the primary argument to unlock dollars for security infrastructure is that you have to get attacked first. But there's one way to prove that security is a necessary IT expense: hire hackers to successfully break into your own network. That's right--hackers for hire. Though it sounds like an oxymoron, a number of companies, notably Computer Sciences Corporation of El Segundo, California, employ hacker engineers.
These "ethical hackers" will break into your network, take it over, and then produce a security assessment report that uncovers your vulnerabilities. At this point, security is no longer a theoretical issue. You can point to specific tasks you must complete to protect your company's integrity.
Of course, hackers for hire don't come cheap. I heard from some CeBit show attendees that a simple firewall check, for example, can cost US$5,000.
But if your company balks at hiring a hacker and insists on reining in the security budget, remind everyone that you'll be living on borrowed time. Controlling costs is always important, but you can't risk millions of dollars by being lulled into complacency.
Wayne Rash runs a product testing lab near Washington, DC. He's been involved with secure networking for 20 years and is the author of four books on networking topics.
If the IT managers don't know how to make their firewalls secure, then hiring someone to check it out is just a "point-in-time" solution. It will be full of holes a few days/weeks later simply cause you still don't know how to manage the firewall.