Security professionals in the financial services industry can weather an economic downturn by focusing on low-cost activities, articulating their business value, and doing some career management, experts said.
As the financial-service market continues to reel from the subprime mortgage crisis, security teams may need to use such survival skills to deal with flat or tightened budgets. In a few cases, security organizations in financial services firms have experienced significant cuts but more often, budgets are projected to stay flat for the next year or two, said Khalid Kark, principal analyst at Cambridge, Mass.-based Forrester Research.
"They'll be expected to do a lot more from the same budget," he said.
The situation is the same for security professionals in other industries, Kark added, but for those in financial services – an industry which traditionally has devoted more resources to security than other verticals -- belt tightening is less common.
"Financial services [security pros] tended to have a lot more money and liberty to do what they wanted," he said. "Now they're facing the same challenges."
To deal with the weak economy, security pros may want to consider focusing on existing infrastructure and less expensive endeavors, said Bruce Bonsall, CISO at MassMutual Financial Group.
"When a slowing economy causes funding to dry up, IT security professionals might consider focusing on lower cost activities such as polishing up procedural documentation, running through mock security incident drills, and internal cross training," he said in an email. "If funding for new tools is unavailable, think about what's already in place and how to make it better at little cost."
Avoiding budget cuts requires security chiefs to make sure the C-suite understands security's value to the business, said David Pollino, an information security practitioner working in financial services.
"Clever CISOs need to take the opportunity to fully articulate the value provided to the company's bottom line, otherwise they will face the same budget cuts and may see the size of their team shrink," he said in an email.
The value statement, Pollino said, might include the value of online fraud prevention, reduction of internal fraud, or the value of intellectual property protected by information security systems. "Difficult economic times often bring an increase in fraud and theft, both internal and external," he added.
Regulatory compliance is another area in which security can demonstrate its value to the business. Pollino noted that regulatory initiatives such as the Federal Trade Commission's Red Flag rules require support from security professionals. The Red Flag rules, which take effect Nov. 1, require companies that maintain personal financial information on customers to have systems in place for spotting the "red flags" that indicate potential identity fraud.
Kark echoed Pollino in advising security pros to ensure they communicate their business case to senior management. "That's become more important in financial services but in general as well," he said. "Unless you're able to articulate your case in terms of business needs and business impact, it's going to be very hard for you to get budget."
An area that's resonating with senior management is linking information security to broader risk management initiatives rather than making security just about tools and technologies, Kark said.
In fact, at some financial-services firms, security spending has gone up -- triggered by the trading scandal earlier this year at French banking giant Societe Generale, he said. The case, in which a rogue trader alleged carried out $7.2 billion in fraud, spurred some firms to rethink their security spending.
"That additional spend tends to be in a specific area, which is the linkage between security and risk management – not necessarily in technology, but to firm up the processes that may introduce an element of risk."
In terms of risk management, companies should focus on educating their employees, Kark said. A lot of breaches are caused by users inside an organization; companies can reap dividends from a security awareness and training program that's specific to an employee's role and the types of data they handle.
"Just by working on the people, we could reduce the amount of threats and risk to an organization," Kark said.
While they figure out ways to avoid the budget ax, security professionals in financial services should proactively manage their career so they don't get caught flat-footed, says Lee Kushner, founder and CEO of information security recruiting firm LJ Kushner and Associates.
That means keeping their skills sharp, building relationships both inside and outside their company, and making themselves marketable, he said. "People have to be career managers. You have to be the CEO of You, Inc."
Kushner said he's seen some professionals who have made successful careers in one company suddenly realizing their skills aren't necessarily transferable: "They wake up and they're not marketable because their marketability is based on getting things done in their own organization."
He added that security pros with sharp technical skills – particularly in the area of application security -- remain in high demand. Those with skill in Payment Card Industry Data Security Standard compliance also in are in demand, he said.
"Security professionals are highly portable and should not be afraid to jump industries," he said. "Financial services experience is very valuable to other industries."