Let’s be honest – even in a good economy, when business is booming, security is still a reluctant after-thought in most cases. Why do we have Sarbanes-Oxley, HIPAA, GLBA, PCI DSS and other legislation and regulatory requirements? Because companies can’t be trusted to do the right thing of their own accord. Had they done that, the situations that sparked the creation of each of the various laws and guidelines would never have occurred.
Spending on security is like buying insurance. You spend money on health, auto, home, and life insurance (and perhaps others), but you hope to never use it. If you never get in a car accident in your life, that could be more than $50,000 you spend in your driving lifetime to protect yourself against something that never happens. You could buy two new cars outright with cash and just forget about the insurance.
Companies tend to look at security like that as well. There is no return on investment (ROI). There is no upside gain. Budget is being allocated and money is being spent to safeguard against a gamble that may never come to pass. All that money may just be wasted. Even before there were laws demanding a baseline minimum of security controls, many companies waited to address security until after an incident. At least once the company experienced the pain of an enterprise-wide malware infection, or a data compromise of sensitive information they had a barometer against which to measure the cost of making sure it didn’t happen again.
So- in a recession, or a depression, or even just a quarter of down revenue, security is often one of the first things to go. However, we do have SOX, and HIPAA, and GLBA, an PCI DSS. That means that aside from the pain the company will feel if there is a data breach or malware compromise, and aside from the damage that will be done to the reputation of the company if customer data is leaked or compromised in any way, there are also additional fines and consequences, including possible jail time, to try and create the proper ‘incentive’ for companies to do the right thing.
But, money is tight. According to the article ‘What Can You Afford NOT To Do On IT Security?‘ from CIO.com, budgets may not be cut from 2008, but they also won’tbe going up in many cases. Personally, I think that more will be cut than this article suggests. Unified Communcations and VoIP security administrators will need to be more resourceful and perhaps look into the free and open source tools available to help protect the unified communications infrastructure. It is possible to protect the network on a minimum budget, but the learning curve may be higher and getting support requires more initiative and effort than simply dialing the vendor’s toll-free number.