News Stay informed about the latest enterprise technology news and product updates.

Midmarket security managers must push risk acceptance to the business

Experts at the 2009 RSA Conference say midmarket security managers must work with business leaders to define acceptable risk, and transfer risk prioritization to them when appropriate.

SAN FRANCISCO – As security budgets continue to fall victim to across-the-board IT budget cuts, experts say it's imperative that security managers at midmarket companies reach out to executives to develop a shared understanding of acceptable risk.

A key part of that effort, said security luminaries at the 2009 RSA Conference, includes developing a process for regular interactions with business units that will facilitate a list of security priorities that support the business. IT managers may then use that list to determine which projects and investments are shelved when cuts are made, and have executives and business leaders decide whether they are willing to accept the resulting risks.

"You've got to get business heads together and stack a list of priorities, and force business units to fight it out," said Rich Mogull, founder of Phoenix-based consultancy Securosis LLC during a panel discussion Thursday at RSA. "If you're asked to cut 20%, the bottom of that list will be gone. Make them accept that risk."

If you're asked to cut 20%, the bottom of that list will be gone. Make them accept that risk.
Rich Mogull
founderSecurosis LLC
Building that list, however, may be easier said than done. Experts say they're constantly asked for a baseline of must-have technologies companies should put on the list. But no two business models are alike, making this near impossible. A best guess starts with a base level of perimeter protection.

For the midmarket, that often translates to unified threat management (UTM), which integrates malware protection, firewalling and content filtering in a single appliance. Centralized management of those features makes UTM especially attractive for resource-strapped organizations.

Configuration management and change control is a key next step. Adequately managing patches and changes to configurations not only keeps the security state up to date on systems, but also prevents the introduction of new vulnerabilities. Some level of identity management and access control also has a prominent place on the list, as does endpoint protection and secure remote access.

"Security is going to have to define what you're doing and why, and justify your budgets based on value to the organization," said Mike Rothman, a popular industry blogger and senior vice president of strategy and chief marketing officer with Acton, Mass.-based vendor eIQ Networks Inc. "Guess what? Everyone else has to operate like that. Security has to come out of the silo, and the folks who do a good job will come through [the economic downturn] perfectly."

Outsourcing and managed security services are other popular cost-savings strategies for midmarket companies. The panel pointed out no-brainers such as email services and vulnerability assessments as prime targets.

See all our coverage of RSA Conference 2009: and Information Security magazine editors are in San Francisco to bring you the biggest RSA Conference 2009 news stories, interviews, podcasts, videos and more.
Most organizations should ask themselves whether they have the resources to build and manage the infrastructure necessary to support these tasks. If the answer is no, then managed services are a smart road. Panelist Michael Murray, managing partner of San Francisco-based consultancy Michael Murray and Associates LLC, pointed out that rather than saving money, organizations may merely be moving it around.

"There is a human cost," Murray said. "You may not be paying benefits anymore, but just moving money over to pay consultants."

While UTM, endpoint and remote access technology may be must-have technologies, companies could also consider some nice-to-have options such as data loss prevention (DLP), in particular content discovery components that can identify where data lives; network access control (NAC) that identifies what systems connect to a company network; and security information management (SIM) technology that aggregates, correlates and reports on threats.

While the nice-to-haves may seem out of reach economically for midmarket firms, ultimately, Murray said, the must-have technologies must be dictated by the business.

"Pick the most important stuff from your list and build it out," Murray said. "Do the hard work that it takes to convince your organization to do it with you."

Dig Deeper on Risk assessments and metrics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.