Business leaders around the world are struggling to determine exactly how the global economic downturn will impact their operations and profitability. Among security leadership specifically, one oft-asked question is whether budgets are being decreased, and if so, how to tighten protection while tightening the belt. The Security Executive Council conducted a survey through the month of January to find out how some security leaders are answering these and other questions. More than 250 qualified security practitioners responded.

Slightly more than 50 percent of respondents reported that their 2009 budgets have decreased from 2008 levels. While that figure is daunting, turned on its head it means that nearly 50 percent of budgets have not been negatively impacted. In fact, nearly one-fourth of respondents reported a 2009 budget increase. For the half who reported lower budgets, the average decrease was 17 percent, and for the quarter receiving an increase, the average rise was 18 percent. 
     
The silver lining on these figures is that half of these businesses appear to recognize that security is still critical in a downturn, perhaps even more so than in good economic times.

Survey respondents also reported more than 40 percent increases in theft, fraud and requests for support to HR relative to layoffs in fiscal year 2008-2009. These figures shouldn’t be terribly surprising. Even where security budgets are stable or increasing, budgets for other functions may be diminished, meaning more layoffs and a greater need for security support as HR breaks the news. Some companies may be cutting benefits or requiring employees to work longer or harder without increasing pay, which could sow discontent in the workforce and may account in part for increases in theft and fraud.
     
As individuals see and experience the effects of the down economy, they may begin to take measures they never would have before considered to protect their own interests in case of a future layoff, like stealing company data with the intention of using it as leverage to gain employment with a competitor. A February study by the Ponemon Institute found that 59 percent of employees who leave or are asked to leave a company will steal company data, such as proprietary information and intellectual property, e-mail lists, customer contact lists and employee records. 
     
All security leaders should be looking closely at these risk areas in their organizations and acting to close up gaps in protection.

The Security Executive Council asked all its survey respondents to discuss what creative programs or efforts they were deploying to maintain or enhance security programs in this environment of increased risk and decreasing funding.
     
It appears that, as other business functions often do, security returns to its core when it falls on hard times. Awareness programs are essential to strong security; for one, they are a force multiplier, basically turning employees and management into additional security eyes and ears. A good awareness program can stop many potential internal incidents like intellectual property theft and workplace violence events.
     
The second-most reported trend, just shy of tying with the first, was an active movement toward technology solutions. Like awareness programs, many technology solutions can act as force multipliers, maximizing protection and coverage. This quality may be making it easier for security leaders to show the value of technology investment in our economic downturn.
     
The final trend the Council identified in these responses was a move toward stronger prioritization of risk. Many respondents noted that they have decided company-wide, with the input of other business leaders, to focus resources on the greatest risks to the company. Before the downturn, many security organizations had the luxury of focusing on what may now be considered peripheral issues, reaching toward a goal of more perfect security, instead of most reasonable security. In this economic environment, however, the exercise of prioritizing risk and determining acceptable risk has become more critical.

One question this survey couldn’t answer – and one no survey can answer today – is, “What is the cost of security?” A better understanding of the cost of security could both clarify budget impacts and provide a planning resource for security leaders that could help them show security value. Unfortunately, so far, it has been impossible to determine the cost of security because there has been no way to collect the right data from enough practitioners, and because cost can be calculated in myriad ways.