As enterprise information security spending is scrutinized in unprecedented fashion in 2009 Information Technology management will seek to get more for their security dollar. While budgets tighten and risks grow due to the global economic downturn IT departments will be looking for point solutions, not suites of security tools. CIOs and IT managers will depend on risk-based decision making and the return on investment for each budgetary dollar spent on security, resulting in a greater sensitivity towards the proper prioritization of security efforts.

With most companies looking at very tight fiscal budgets in 2009 a valid business case will be required for each security initiative. Many industry analysts expect both large and small enterprises to cut security-related spending from their IT budgets in 2009. While information security is unlikely to see major budgetary cuts due to its importance the industry will be subjected to an increased pressure to contain security-related costs and reduce expenses, even in organizations with budget increases. With the heightened concerns brought on by a shaky economy IT organizations will seek to strike a balance between reliable information security and budget concerns, selecting targeted solutions at a lower cost over broader security suites or packages filled with features that may not be needed or utilized by the business.

When dealing with enterprise information security in 2009 the adoption of key best practices in the areas of processes, technology, and people will become critically essential to reducing budget expenditures while maintaining an acceptable level of effective security. Security processes will be streamlined to reduce the potential for negatively impacting business productivity. Security technologies and solutions will be consolidated where a cost savings can be gained with no reduction in the overall effectiveness of the enterprise security posture. More importantly, technical personnel will be directed to do more with less, using existing or fewer security technologies where possible and deploying new security solutions only when properly justified and evaluated against business requirements.

In 2009 we will continue to see increases in the size and scope of security attacks on enterprise data networks nationwide. While many of these attacks will occur from external sources it is necessary to consider the internal threat to be one of the greatest in terms of risk. Employees with malicious intent have always been a threat to their employers and commonly rated as one of the top risks, even in good economic climates. As organizations continue to shed jobs and the number of unemployed IT workers climb the threat from employees with malicious intent has become one of the greatest security concerns in 2009. Whether for profit or to inflict harm on an ex-employer the number and frequency of internal security incidents is poised for a sharp increase due to the current economic situation. As the economy worsens we will likely see an increase in the reported cases of desperate and malicious employees compromising security for monetary gain.

Following malicious employee activity the threat from social engineering is growing, as well. A 2004 Gartner report states that the greatest single security risk to the enterprise over the next 10 years will be the increasing use of sophisticated social engineering attacks. That prediction is proving to be true. In 2009 we will see the expanding use of social engineering tactics as perpetrators seek a simpler approach to breaching IT security systems. The current state of the economy will make the use of social engineering tactics a more appealing alternative to more common forms of security attack, a direct result of the perceived security weaknesses that can occur when an organization undergoes major changes in IT leadership or staffing levels.

Due to several recent and highly publicized data breaches as well as the increasing demand for privacy and security regulation the priorities of IT have been refocused on information security in 2009. The challenge will be in maintaining that focus while at the same time leveraging a limited security budget to secure the enterprise against a growing number of complex threats. Although the financial outlook for 2009 is less than promising there is opportunity to maintain an acceptable level of information security within the enterprise. With appropriate security planning and constant vigilance IT organizations can weather the storm.