At Tyco Healthcare, a medical products company, it took a security breach from the outside to convince senior managers to add a computer security specialist to their staff.
Even though the company's security strategy is still in development, the incident provided the sense of urgency that was needed to get the company started on a security policy, said one server administrator for the Mansfield, Mass.-based company.
Most IT administrators would probably agree that it's better not to wait for an incident to inspire a security program, but sometimes that's exactly what it takes to get some security money funneled into their budgets.
In the year immediately following the September 11 terrorist attacks, there was increased interest in security but not necessarily increased spending, according to International Data Corp., the Framingham, Mass., market research firm.
Companies took some time to do security assessments, and now an IDC survey of 1,000 IT professionals, released this week, says that spending for security products and business continuity services will grow at a rate two to three times faster than overall IT spending -- from $66 billion in 2001 to $155 billion in 2006.
The spending will be divided fairly evenly among infrastructure, business continuity and information security, although spending on business continuity products will be slightly higher, IDC said. The survey also takes into account every kind of security product, from VPNs and virus protection and encryption to tape backup, archive systems and high-availability computing, said John Gantz, chief research officer and senior vice president at IDC.
"There is nothing on the radar screen that says you will need less security," Gantz said.
According to IDC, IT managers have long considered security their primary concern, followed by reliability. But for some of these managers, it's not easy to quantify the cost of security breaches, and that can make it hard when it comes time to ask the ROI-driven boss for money to combat future security threats.
Roberta Bragg, a Windows security consultant and author, advises all IT administrators looking to budget for security products to emphasize the business case to their managers. Don't ask for an intrusion-detection system to help identify attacks on your computer system, she says. Don't ask for training expenses so you can learn how to best configure the corporate firewall, and don't ask for money to buy the latest technology because it's new or seems cool.
Instead, Bragg advises administrators to explain to their managers that computer security will keep them in business. If servers are breached, there are potential liability issues, particularly in the case of health care providers. Corporations have to consider repercussions when they cannot protect employees or customers from fraud or the theft of credit card numbers.
They also must consider how much money would be lost if the e-commerce site crashes or if databases cannot be updated, Bragg said.
When providing information about security threats to senior managers, don't be vague. Although it's often difficult information to dig up, it's important to document situations in which companies like yours have lost business, been fined, or spent money cleaning up after a virus or Trojan horse.
"Document your own company security incidents here, of course, but information documenting dollars lost at competitor XYZ goes a long way," Bragg said.
"Having good security can give you a competitive edge while XYZ is fighting a virus."
And finally, document what you did in the past year with the security budget you've been given. For example, if you've had less downtime due to worms and viruses as a result of an antivirus program and awareness training, state that, Bragg said. If stronger passwords meant you've rebuffed attacks, report that. If there was a successful prosecution of an attacker due to a new intrusion-detection system, then that's something to highlight.