Austerity was the defining principle for investment and operations during the past two years.
Professionals were challenged to do more with less and some functions were put on life support. Information security and other risk-management disciplines had to operate with less resources and more demands for success.
Information security professionals learned to adapt and be flexible to keep up with technology, reduced workforces and changing business operations.
Securing organisations with a skeleton staff has been quite a challenge, and yet many security leaders have managed to accomplish the seemingly impossible. By weathering the storm we have proven that the initial investment in security infrastructure is sufficient to protect the enterprise.
The latest reports from financial pundits state that the recession is over and investment and spending will once again be he hallmark of successful organizations. The question on the minds of information security leaders is whether funds will be directed into their budgets.
Have we, by doing a great job by operating with a bare-bones budget, signed our own death knell? How can security leaders ask for budget increases when we have demonstrated that we can manage to keep our organizations secure with less investment that we traditionally demanded?
It is incumbent on the astute security leader to craft a business case for investment in security products and solutions that will keep pace with the advances in technology that continue to sweep the nation.
The FUD (fear, uncertainty and doubt) principles no longer apply. We need to devise a new business case for advancing the contributions that information security can make to organisations. The concept of return-on-investment needs to be retired and replaced by the concept of “cost of doing business”.
Information security leaders have the unique opportunity to integrate security controls into each and every aspect of newly evolving business operations. The change needs to focus not on technology but rather on culture. By emphasising the importance of early integration of security into the organization's operating model, a business case can be made supporting additional investment for security.
The landscape for security professionals is still slippery. A prudent and conservative approach to increasing security investment may be more successful than demanding that things go back to the way they were.
The new security leader will be a hybrid of technology savvy as well as business savvy. Speaking the language of the business leaders who control the coffers will ultimately serve the organisation and its stakeholders better than the traditional approach used for decades.