How much should IT security cost in 2010?

by | Feb/17/2010

Often, after a company has an IT security breach, IT professionals blame the breach on their limited IT budget. They cannot replace a 12 year old desktop, much less focus on upgrading their old corporate anti-virus package from the 2006 version.

These days, most organizations already own everything they need to increase their security dramatically higher than it is today. Microsoft servers include tools like event logs, Group Policy Objects, file permissions, user rights, patch management, disk encryption, authentication, certificates, IP Security, and other tools that, while they can be enhanced by add-on products, already have a huge amount of untapped potential in what your company has already invested in. You have already spent the money; please use what you have!

For expenses like corporate anti-virus, until the criminal hackers decide to use their skills for good rather than evil, this is something you budget for. Look at the ROI. Almost any company can justify a solid backup program, if not a full disaster recovery plan when you perform a risk assessment and calculate the amount you can lose without a backup. If you are investing more than $100 per year per user on IT security, perhaps you can reduce your spending and still be well protected. As one of my clients in Houston recently told me, “We don’t want to be as secure as the Pentagon.” Well said.

Additionally, I find many of my clients are moving to thin client technology and investing in virtualization. These moves do often take an initial investment, however the total cost of ownership over the next three years will sometimes be dramatically less than staying with the existing infrastructure. Even if the total cost of ownership will stay the same, there are often huge increases in security and user productivity. And, amazingly, often the transition to the new infrastructure can happen gradually over a few years to reduce the yearly investment and start realizing the ROI right away where the technology will have the most benefit—such as for remote users. Thin client computing and virtualization are addressed elsewhere in this blog. Please add your comments.