Midmarket CIOs Primed To Invest In Security Projects

"(Security) is an ongoing thing. It's something that you don't ever put on the shelf," said Ron Billock, senior director of IT operations for TrueBlue, based in Tacoma, Wash.

At least things are not getting worse, midmarket CIOs say. Midmarket companies say that they're currently unable to add IT staff, but don't forecast further reductions in subsequent quarters of 2010. And while IT security budgets are flat, they're not necessarily on the decline, CIOs say.

"Our security situation is pretty good," said Rick Meuser, director of information technology for Silgan Plastics, based in Chesterfield, Mo. "The systems are in place to make sure we can do what we need to do."

Consequently, CIOs say they're still planning on launching new security projects in 2010, despite the fact they have to work harder at justifying IT security projects than they did a year ago.

"It's tough getting financing for anything. But if it's important to you, you can do your homework, and you justify it. If it's something that should be done, it should be a business decision based off of solid metrics to show its value and worth," Billock said.

Billock said that he planned to allocate more funds to the IT security budget, primarily to ensure that there are enough resources in the budget to invest in automation for routine maintenance functions such as log monitoring, which he said would free up security staff to work on other mission-critical security projects.

Meuser said that he planned to upgrade firewalls and focus security projects around remote connectivity, as well as implement encryption and access management technologies that would prevent certain users from saving sensitive corporate information onto USB sticks and CDs, and then walking off with the data in hand.

"People can walk off with so much of your data nowadays. We want to be able to encrypt those devices so if they are lost, we can protect the data," he said.

Midmarket CIOs say they plan to beef up security architecture to comply with regulatory mandates such as PCI and Sarbanes-Oxley. In fact, CIOs say that one of the biggest drivers spurring future IT security projects was regulatory compliance directives, along with cost-cutting objectives and ensuring adequate security measures to defend against security threats targeting company data.

However, despite limited IT budgets, midmarket CIOs say they prefer not to outsource critical security functions.

"We'd much rather keep that internal," Meuser said. "We know exactly what's going on and how we're protected and where the holes might be."

And unlike other years, CIOs say that some of the biggest security threats they've had to deal with in 2009, and will continue to watch in 2010, have been internal threats, which have ranged from accidental loss to deliberate theft of financial data.

"You worry about the disgruntled employees leaving and taking data with them, or accidental loss," he said. "We've always focused on the external threat, or the bad guys. Now we have to protect ourselves from the 'good guys' if you will."

The hardest task, CIOs say, will likely be convincing the organization that their employees are the ones posing the threat.

"It's a hard thing to even talk about because people don't like to think their own resources would do something like that. I think that is the biggest risk," Billock said. "It only takes one person who has the most access for a breach to occur."