A key part of that effort, said security luminaries at the 2009 RSA Conference, includes developing a process for regular interactions with business units that will facilitate a list of security priorities that support the business. IT managers may then use that list to determine which projects and investments are shelved when cuts are made, and have executives and business leaders decide whether they are willing to accept the resulting risks.
"You've got to get business heads together and stack a list of priorities, and force business units to fight it out," said Rich Mogull, founder of Phoenix-based consultancy Securosis LLC during a panel discussion Thursday at RSA. "If you're asked to cut 20%, the bottom of that list will be gone. Make them accept that risk."
For the midmarket, that often translates to unified threat management (UTM), which integrates malware protection, firewalling and content filtering in a single appliance. Centralized management of those features makes UTM especially attractive for resource-strapped organizations.
Configuration management and change control is a key next step. Adequately managing patches and changes to configurations not only keeps the security state up to date on systems, but also prevents the introduction of new vulnerabilities. Some level of identity management and access control also has a prominent place on the list, as does endpoint protection and secure remote access.
"Security is going to have to define what you're doing and why, and justify your budgets based on value to the organization," said Mike Rothman, a popular industry blogger and senior vice president of strategy and chief marketing officer with Acton, Mass.-based vendor eIQ Networks Inc. "Guess what? Everyone else has to operate like that. Security has to come out of the silo, and the folks who do a good job will come through [the economic downturn] perfectly."
Outsourcing and managed security services are other popular cost-savings strategies for midmarket companies. The panel pointed out no-brainers such as email services and vulnerability assessments as prime targets.
"There is a human cost," Murray said. "You may not be paying benefits anymore, but just moving money over to pay consultants."
While UTM, endpoint and remote access technology may be must-have technologies, companies could also consider some nice-to-have options such as data loss prevention (DLP), in particular content discovery components that can identify where data lives; network access control (NAC) that identifies what systems connect to a company network; and security information management (SIM) technology that aggregates, correlates and reports on threats.
While the nice-to-haves may seem out of reach economically for midmarket firms, ultimately, Murray said, the must-have technologies must be dictated by the business.
"Pick the most important stuff from your list and build it out," Murray said. "Do the hard work that it takes to convince your organization to do it with you."