Time IT’s Thin Red Line Turned Green
IT security is often ring-fenced in IT budgets. But maybe it’s time to tear down that fence and save cash and carbon, says Andrew Donoghue
Fear has always been a money-spinner. In the aftermath of September 11, this proved truer than ever. Spending on military and security systems was effectively given a perpetual green-light as the spectre of global terrorism boosted the bottom line of the security industry, from weapons makers to IT providers.
But the credit, and more recently sovereign debt, crisis has put the brakes on this security and defence arms race. Governments are now being forced to consider whether threats really justify the substantial costs, and carbon, required to build defences.
Crucially, the threat spectrum now also include risks associated with climate change and energy security. These dangers not only apply at government level, but are also exactly the challenges that companies are having to juggle with too. With the costs of keeping the lights on spiraling, how much should companies spend on threats that might never materialise?
Trident Versus Austerity
At the governmental level, the UK currently has to decide whether to spend £20 billion renewing the Trident nuclear deterrent during the most severe austerity drive in recent history. Defence secretary Liam Fox currently wants the MOD to find the funds for the new missile system from within its core budget, it appears, which could be a struggle given the military already has to slash its spending by £7 billion.
The decision to keep Trident but not fund it directly could be seen as more fence-sitting by a coalition government struggling to contain extreme elements on the left and right. But the tactic also (perhaps unintentionally) forces the military to rank spending in terms of perceived threat. Rather than providing a blank cheque for a weapon system which may never be used in anger, the government is asking the military to allocate resources according to need rather than want.
This might sound like an obvious approach, and the MOD would probably claim that this is what it does at the moment anyway, with the shortage of equipment for front-line troops in Afghanistan clearly showing current budget shortfalls. But the Trident issue takes this approach one step further and effectively forces all threats to be considered in terms of their financial costs and likelihood of materialising into actual incidents.
For the average corporation, terrorism is probably at the edge of the radar when it comes to issues such as business continuity. Hack attacks and data loss are much more pressing concerns from a security perspective, as is protecting physical infrastructure, retail outlets and office buildings from theft or criminal damage. But with budgets under continued scrutiny, how much of this protection is really justified?
Some analysts are optimistic about the potential of security spending to continue. Recent figures from Canalys claim the global enterprise security market will grow by 13.8 percent in 2010, as budgets return and companies update systems. But even if this is true, is spending on perceived threats really justified, not just from a financial perspective but an environmental one?
PC Performance Hit By AV
For example, poorly coded anti-virus software can an enormous drain on the performance of the average PC. Independent tests have shown that PC performance can drop by up to 20 percent and, in the words of one tester, “tether the performance of your computer alongside that of one three years its elder”. This might once have been accepted as the cost of being secure, but PC upgrade cycles are slower now, and companies want to eke out the life of older kit. Hobbling hardware with software in this way may no longer be the “no-brainer” it once was.
And security is not just an issue for existing systems. The security fear-machine is already shifting into gear for one of the biggest tech projects of this millennium. According to analyst Pike Research, security spending on smart meters is expected to total $575 million worldwide during the period from 2010 to 2015. This might sounds like a significant amount for a project which is meant to be about realising efficiencies but is nothing compared to the costs of securing the associated electricity networks or “smart grids” worldwide, which Pike puts at a whopping $21 billion over the next five years. To put that into context that is twice the estimated costs for the entire smart meter and grid project in the UK.
This begs the question, how much of the energy efficiencies from smart meters and grids will be eaten up protecting them against threats which may never materialise? I have to hold up my hands at this point and admit that I have been guilty of tapping into the security hype around smart grids. Posing worst-case scenarios for new tech projects is justified to some degree, but it’s also easy copy.
Security definitely has to be considered and any attempts to scrimp when it comes to security planning should be rightly questioned. But the sheer weight of vendor marketing behind the security industry means that the solution is often massively out of proportion to the potential threat. And this has implications, not only in terms of costs, but energy efficiency and climate change.
Much like the budget balancing act the MOD now faces with Trident, companies may be forced to consider whether spending on security will ever have a realistic return on investment. Spending on security fundamentals, firewalls, some AV protection, is justified but how many IT security projects are the tech equivalent of Trident – a deterrent against a threat that may never materialise?
Sustainability is ultimately about eliminating the unnecessary. With companies facing very real financial and environmental threats, the days of security spend passing unquesationed may be numbered.