EVEN WITH ALL the steep budget cuts, spending on IT security projects appears safe.
“We did not see a dramatic decline in security budgets like we thought we would,” says Mark Lobel, principal at PricewaterhouseCoopers (PwC), New York, New York, USA. “Our working hypothesis was that security is going to get slashed to the bone and frankly, the numbers did not support that.”
A 2009 survey by the consulting giant found that 63 percent of 7,200 IT executives from 130 countries said they will either increase or maintain their spending on data security in the coming year.
“If you are looking for projects, security is still going to have them,” Mr. Lobel says. “They may not be as big as in the past, and some of them may even be delayed ... but security is going to be an area of focus.”
Survey results reveal that companies are looking hardest at—and placing their highest expectations on—initiatives that:
Address the “big risks,” such as hackers accessing financial information
Improve data protection
Invest in disciplined alignment with the security strategy
Increase efficiency and reduce cost
To get the job done, project managers have to look at the big picture.
“It's not about knowing every piece of data you have in an environment—it's about defining what the critical data elements are, where they are located, what controls are in place to protect them, and what laws and regulations apply to those elements,” Mr. Lobel says.
Armed with that information, project managers can help create an information security framework. “We are talking about creating a bunch of projects over time, which creates a strategy role for strong project managers,” he says.
But with those increased opportunities comes increased pressure to deliver ROI.
“You've got to define and track the benefits through the capital project—that's where I think it's going to be important for project managers to stay focused on the value of the project,” Mr. Lobel says. “A solid project manager is the underlying foundation that a successful security program will rely on.”
Given the pressures on the bottom line, project sponsors may be more willing to take on IT security risks rather than focus on mitigating them, says Rob Sadowski, senior manager, technology solutions at RSA, a security IT company in Bedford, Massachusetts, USA.
“There will be a much sharper focus on generating project results as soon as possible, with companies wanting more rapid ROI,” he predicts. “As a result, businesses may not be willing to weigh risk assessments.”
Mr. Sadowski points to the expansion of IT infrastructure virtualization, such as cloud computing. These projects may lower the costs an IT department incurs on everything from electricity and hardware to staff support time, but they may also allow a third party to access private data.
“A system like this may create risk, but the business is charging head-first,” says Mr. Sadowski. “Efficiency and cost reductions are more important than getting risks assessed and addressed.”
In the PwC survey, 48 percent of respondents said virtualization improves information security, 42 percent said it has no effect, and only 10 percent said it creates vulnerability.
Mr. Lobel says even his team doesn't fully agree with the findings.
“There's a compelling speed and dollar justification for sourcing things to virtualized cloud environments,” he says. “As a project manager, are you going to be able to get on that ship and control it? Or are you going to be dragged behind by the tow rope? It's going to be incumbent on project managers to stay ahead of the risk.”
Yet as sponsors demand more efficiency and value from their project managers, risks become harder to manage. Companies are forced to adopt a “ready, fire, then aim” mentality, Mr. Sadowski says, but the battle to protect virtual information from malicious third parties or “fraudsters” will continue.
“There will definitely be a lot of projects out there. The drivers for spending are still there,” he adds. “Fraudsters never stop innovating. And we're going to keep spending on security innovations. It's that innovation that's going to take us out of economic downspin, even if it comes with some added risks.” —JD
PM NETWORK FEBRUARY 2010 WWW.PMI.ORG
FEBRUARY 2010 PM NETWORK