January 05, 2009

Many banks may be walking a slippery slope when it comes to maintaining security levels during the financial crisis. These days, established security budgets offer no safe haven. The key issues are people, managing with less, managing with uncertain budgets, and trying to keep the security and compliance wheels on the bus. Forget security initiatives -- for most bank IT organizations, the focus is survival.

When organizations are in crisis, they often make across-the-board cuts rather than prioritizing reductions based on risk or business impact. Thus security teams face the reality of losing staff members whose actions have been vital to the institution's operational security and regulatory compliance.

IT, security and compliance organizations have historically been understaffed. Consequently, when reductions in head count are needed, it is easy to lose critical operational and institutional knowledge. So when forced to reduce operational security staff, take the time to think it through and clearly articulate the business impact of the reductions.

As banks shed personnel, a strain is imposed on the organizations' identity and access management systems and processes. Accounts and privileges for each terminated employee must be removed. But unlike during previous recessions, this time layoffs are occurring at all levels and at an unprecedented speed. It is easy for an organization to find itself in a situation where key players in control processes governing user account creation/removal have themselves been terminated. When staff reductions impact user provisioning, it is important to sequence those reductions so the approval workflow never breaks.

Control processes such as audit or security controls tend to be labor-intensive and are often early victims in cost-cutting initiatives. Think how tempting it is to lay off the low-level paper pusher (LLPP). The problem is that among the many routine tasks the LLPP performed were several that were vital to the organization's achieving regulatory compliance. Reducing control processes may impact the ability of an organization to recognize something going wrong at an operational level in a timely manner. After all, there was a legitimate business reason why those controls were implemented in the first place.

The tension here is that business reality forces companies to reduce staff quickly. Therefore vital functions need to be identified and passed on to survivors before terminations take place. Often, by the time the vital functions have been addressed, the net cost savings may be far less than anticipated.

Managing With Less

The general challenge, of course, is managing with less. It is more important than ever to have a strong business justification for all activities and a good risk assessment process in place to understand the business impact of any reductions, and to consider alternative approaches to achieving your security requirements. The challenge of the current crisis is that suspending new security initiatives is often not enough; many organizations are reducing previously approved budgets or instituting spending freezes. But it is nearly impossible to maintain an institution's level of security in the face of uncertain and constantly changing budgets.

Security issues are a mere shadow of the larger challenges financial institutions are facing. Tough business decisions dominate the agenda. Ultimately, however, organizations that make tough decisions -- and enable their IT and security teams to help -- have a better chance of survival than those that dither. The operational cuts you would make in an organization that needs to be fully functioning six months down the road are entirely different from those for an organization surviving day to day in preparation for a hasty merger, for example. If the underlying business is sound, security teams need to help the rest of the organization understand that security risks don't go away just because budgets are tight.