Callum Macleod (Africa) - Security Best Practices: Wise to Cut Spending in Poor Economic Conditions?

There is a risk that a cut in IT security spending will only leave the doors open to cyber crime. Callum Macleod, at Vanafi, argues that letting the cyber-guard down will be more costly in the long-term.

"During [an] economic downturn, criminals will more aggressively pursue data crimes that can make a lot more money than traditional crimes. Today, there are more removable media and unstructured data which creates the chance for data leakage. There is also the rise of the trusted insider threat." ZDNet

We're certainly in the middle of a downturn and there's no lack of zealous hackers with PCs, gaming systems and other processor-rich, networked devices. These cyber criminals, armed with better technology tools than ever before, will continue to hack systems by breaking cryptographic algorithms in ne w, more tenacious and sinister ways.  

What's more? According to the analysts, there have already been more than 100 million personally-identifiable customer records breached in the US over the past two years. And most have occurred at companies that are household names. As a result, business partners and customers are demanding better security controls for dealing with sensitive data-and they want a trail of evidence to prove it. 

Perhaps you're unconvinced of the now-famous staggering costs-both long and short-term-of a breach. Maybe you'd rather risk it, try and save the spend or direct it to something more "strategic," while praying nothing happens. Well, let the example of a large, unnamed retailer, recently exposed in a security study, put that phallacy to rest for good.

"A large retailer that experienced a theft of customer data in 2007 took $270 million in charges against profits for expenses related to the loss and theft of customer data. The capital loss from the firm's share price decline amounted to more than $950 million in the first three months after the event. This decline was slightly reversed to a $680 million loss after the first year."[1]

Do you do as Heartland's doing? Deploy so-called "end-to-end" encryption in an effort to stave off both hackers and the brand damaging and expensive costs of an unencrypted breach? Not sure there's much of a choice. Certainly, no respectable enterprise can afford to run the risks of reducing IT spend on security.

One analyst spoke rather bluntly about the need to mitigate the risks of data loss through increased encryption, data leakage and other breach-prevention technologies. And this in spite of an overburdened economy and reduced organizational budgets.

According to John Oltsik of the Enterprise Strategy Group,

"We all realize that the economy stinks and CIOs absolutely must cut IT spending. That said, the ESG data suggests that they take a prudent approach to security spending cuts. Remember that one publicly-disclosed breach can cost a lot more than a security staffer, technology safeguard, or additional training".[i]        

"The pharmaceutical company's CIO agrees that he needs to enact all of these suggestions and even says he has most of the encryption technology in place and ready to go. But without buy-in from senior executives, such as the COO, CFO and chief medical officer, he says none of it will work."
I wonder if there isn't a blog here about how encryption is often ‘ready to go' but the management nightmare is preventing widespread adoption? Or something like that?
A recommendation from the consultant who did the audit:
"He advises companies not to rely on users or business partners to do the right thing. Instead, you should automate encryption. For instance, the company should extend its use of transport layer security, which is already used to secure its communications with the FDA, to transmit sensitive documents to other business partners."




[i] John Oltsik, Enterprise Strategy Group Analyst. "Data Breach Incidents Are Increasing, Study Shows," February 2009.


Calum MacLeod is currently EMEA Director for Venafi, a digital certificate and encryption key management specialists. He has over 30 years of expertise in secure networking technologies. For further information visit: