Half Empty, Half Full
The silver lining on these figures is that half of these businesses appear to recognize that security is still critical in a downturn, perhaps even more so than in good economic times.
Shifting Risk Picture
As individuals see and experience the effects of the down economy, they may begin to take measures they never would have before considered to protect their own interests in case of a future layoff, like stealing company data with the intention of using it as leverage to gain employment with a competitor. A February study by the Ponemon Institute found that 59 percent of employees who leave or are asked to leave a company will steal company data, such as proprietary information and intellectual property, e-mail lists, customer contact lists and employee records.
All security leaders should be looking closely at these risk areas in their organizations and acting to close up gaps in protection.
Maintaining and Enhancing Security
It appears that, as other business functions often do, security returns to its core when it falls on hard times. Awareness programs are essential to strong security; for one, they are a force multiplier, basically turning employees and management into additional security eyes and ears. A good awareness program can stop many potential internal incidents like intellectual property theft and workplace violence events.
The second-most reported trend, just shy of tying with the first, was an active movement toward technology solutions. Like awareness programs, many technology solutions can act as force multipliers, maximizing protection and coverage. This quality may be making it easier for security leaders to show the value of technology investment in our economic downturn.
The final trend the Council identified in these responses was a move toward stronger prioritization of risk. Many respondents noted that they have decided company-wide, with the input of other business leaders, to focus resources on the greatest risks to the company. Before the downturn, many security organizations had the luxury of focusing on what may now be considered peripheral issues, reaching toward a goal of more perfect security, instead of most reasonable security. In this economic environment, however, the exercise of prioritizing risk and determining acceptable risk has become more critical.