Schneier: Security neglected in economic gloom

While it may seem logical to downgrade security, Bruce Schneier argues that security should be maintained or boosted, as systems become more business critical in a recession
Written by Tom Espiner, Contributor
IT security has been neglected due to the economic downturn, according to security experts.

Bruce Schneier, BT's chief security technology officer, told a European Network and Information Security Agency (Enisa) event on Friday that organizations are struggling to keep on top of workloads that have increased due to layoffs.

"Times are tough, even for criminals," said Schneier. "Organizations are dealing with more disgruntled employees — the people you are firing. People in organisations are doing a lot more fire-fighting. IT security has fallen by the wayside, because you're not getting something done — it's preventative."

Schneier said that people view IT security, as any business activity, by its results. However, IT security, when it is successful, does not have any tangible results, so people focus on measurable outcomes.

"People view business in terms of what it will do for me today," said Schneier. "When it comes to [activities such as] updating firewall settings, people say 'We'll do that when we have time.'"

This lack of tangible results can lead to security budgets being cut, said Schneier, especially if the IT security capability has been so good it has prevented incidents.

"This happens in IT security all the time," said Schneier. "If you're doing really good, people will say 'We don't need you, because there have been no incidents'. Justification for IT security requires a level of abstraction."

Schneier said that organizations that are reducing their staff levels, for example by 15 percent, would think it right to reduce their security capability by 15 percent. However, Schneier said this reasoning was flawed.

"It seems logical you can reduce security by 15 percent, but it turns out not to be the case," said Schneier. "Because of redundancies, companies are becoming leaner, and IT systems are becoming more critical to the business. I'm seeing security groups being asked to harden systems because they are more business-critical."

Chris Potter, a partner at auditors PwC, said that incidents tend to happen every three to four years, which means people downgrade the risk.

"Over time, risk assessments deteriorate," said Potter. "That window of three to four years is a long time in the corporate memory."

Potter added that organizations that have invested in automating computer processes have been the most resilient through the recession.

"The more organizations have invested in automating where they can, the less they have been affected by the downturn," said Potter. "Organizations that are less mature have been the most affected."

At the same Enisa event on Friday, security experts advised businesses not to clamp down on social media.

This article was originally posted on ZDNet UK.

Editorial standards