Crisis is here and it looks like many IT services will get a near-zero investment budget for 2012. I think it's high time that IT services reconsider information security and invest time (if no money) into it. My point is that any security project should open new areas for business expansion and with a positive ROI, like any IT project, security or not.
Security means new openings for businesses
IT services make benefit from selling services (hardware, networks, software, data) to customers, providing an added value to users. Correct security projects allow the expansion of both customers' and users' pools.
- Users: users are reluctant to use services that are not secured. One good example is the sprout of commercial websites that could not have happened without a *security* measure: SSL. By adding chosen security measures, you can enhance adoption rate/marketshare of your services. You can also grow the target audience by allowing access to new networks, source devices, telecommuters, etc.
- Customers: certain customers desire not only security, they demand a warranty about security. That's something you get by two means. One is being sure of yourself and your services (are we up to what we are selling?) and the other one is independent assessment and/or normalization.
Positive ROI for security projectsIn a world where security is seen primarily as a source of constraints, the very use of the letters ROI about security is often considered a joke. It's not. For a security project as for any other IT project, you need to invest time and money, there's no reason why security should go without an ROI calculation, and a positive result to it.
In a hard time like 2012, I'd say that you must concentrate on security projects that have an immediate positive return. It's time to focus on projects that cost very little money to implement: the review of processes, of security incidents and the implementation of those "long thought-about but we never had time". It's also time to focus on under-used capabilities of software and servers, instead of re-inventing a costly wheel.
A good security project for 2012 should show immediate returns: less theft of laptops/smartphones, better telecommuting allowing smaller transportation and accommodation costs, better supervision leading to a decrease in downtimes, etc.
As a summary, I think that in 2012 you just should leave out any project that doesn't show an immediate positive return, whether flagged as "security" or not. Just call it technical fussiness and wait for better times.