Avoid the security traps of difficult times, warns Gartner

1 min read

Enterprise security budgets have always been difficult to justify, and the global economic crisis is making them even more difficult – and leaving manufacturers open to risk management mistakes.

So says analyst Gartner, which believes that corporate security professionals face a complex situation, having to work with constrained financial and staffing resources to manage and mitigate a changing risk environment. "The keys to justifying and optimising security spending are to ensure that security and risk control practices are meeting explicit business objectives and, crucially, to persuade the business to take ownership of risk," comments Jay Heiser, research vice president at Gartner. But he warns that security professionals are unlikely to achieve these goals if they fall into one of four common risk management mistakes. First, he advises that the same level of security protection (or spending) can't be simultaneously effective and economically viable for each business unit. "An optimal level of security spending takes into account the assessed level of risk, avoiding overspending and overprotection. Business managers should be offered a relatively small number of risk management profiles that are designed to meet different use cases for data sensitivity and risk," says Heiser. Second, he warns manufacturers not to fall into the trap of making plans based on what the security organisation wants, not what the business needs. "It is impossible to defend security plans, and the budgets they require, if they aren't based on business objectives. If business managers can't or won't provide information about risk significance of their business processes, then high-level managers must step in and mediate, he advises. Third, don't make risk-related communications too complex for the business to understand, says Heiser, commenting that security professionals need to develop a consistent way of expressing the criticality of IT systems. "Gartner recommends a simple three level scale – high, medium and low – to provide a common reference point for articulating the business criticality of IT that can potentially be used for a corresponding set of risk management service levels," explains Heiser. And fourth, he suggests that allowing line-of-business managers to transfer their risk to the IT organisation is not smart. "Line-of-business managers are only too willing to take advantage of the IT organisation's willingness to accept residual risks, making the mistaken presumption that IT's 'standard offering' will effectively address any form of IT risk. Such an approach makes the IT organisation the scapegoat for security failures," opines Heiser. "Simple, manageable risk assessment frameworks, explicit acceptance of residual risk and security service level agreements (SLAs) will make it possible to deliver sound enterprise security, and to defend security budgets against cutbacks," says Heiser.