The financial belt-tightening of a recession may prove to be a great opportunity to improve on your organization's security.
As we approach the end of the first quarter of 2009, it is becoming increasingly evident that an immediate bounce-back from the economic crash of 2008 isn't likely. Not only do we have to deal with the fallout of disastrous financial decisions made by both governmental and corporate policy makers leading up to 2008, but we're also seeing a continuation of that kind of decision making from Congress. A "stimulus" bill that adds ten years of unprecedented levels of national debt is joined by new laws nominally targeted at "protecting" children whose particulars seem designed without any care toward actually protecting anyone, but are already doing a great job of consigning whole industries to failure. Surveys seem to indicate that IT security budgets will not be cut in the face of recession, though. The ability of accurately predicting future behavior based on survey results is often terrible, of course, but this is certainly a lot more encouraging than if surveys had indicated everyone was slashing security budgets. Only time will tell how things will actually play out, of course.
In some respects, however, tightening our financial belts may provide us with unexpected opportunities to improve security. Security will never really be unimportant, and any business that is likely to survive will not view it as unimportant. A worst-case scenario for such a business — cutting IT security-related budgets significantly — will require you to do more with less. It is highly unlikely that anyone will cut budgets and, as a result, simply expect you to do less. While the "do more with less" mandate may seem unfair, it should be remembered that this will likely change the attitudes of your superiors toward policy changes and purchases.
Surveys of corporate IT workers, executives, and managers tend to average around 50% of respondents saying they already use or plan to use open source software in their organizations in the future, with numbers getting higher as more technically oriented people are included in the surveys. There are large numbers of high-level executives in large organizations who absolutely refuse to consider open source software (i.e., "Linux", since that's all the open source software most of them know about), however. Surveys that focus on boards of directors, CEOs, and their immediate subordinates often show 55% or more who state that they categorically will not consider adoption of open source software.If you're an IT worker who has wanted to implement some open source systems that could improve security on your organization's network, such as "invisible" logging servers, secure integrity auditing servers, and proxy servers for mobile workers, this may be a familiar source of frustration for you. The financial paranoia engendered by a recession might just be able to help out, however, as long as you know how to make use of the opportunity.
They used to say that nobody ever got fired for buying IBM. These days, that same statement can be made, to some extent, about purchases from Microsoft and Cisco. If the key purchase you need to make these days to round out a comprehensive plan for network security comes from Microsoft or Cisco, you should be able to get approval in a matter of minutes, as long as your purchases stay under budgetary limits. In many cases, the same cannot be said of open source software. Linux in particular, and open source software by association, has an unearned bad reputation among many executives — a reputation for being a "hacker's OS", where such people don't understand that "hacker" has meanings aside from the one used by the nontechnical media; a reputation for being poorly supported because it isn't a corporate product line (ignoring for the moment that it is effectively several corporate product lines); a reputation for violating copyright and patent laws, thanks to the spurious lawsuits of organizations like SCO, which has basically beaten itself to death by trying to sue other organizations for copyright infringement without having any credible evidence to back up the claim.Open source software in general, and Linux in particular, also has an undeserved reputation for poor security in some circles. Part of the reason for this is the fact that many people simply don't understand how software security, and open source development, works. They hear "open source", and think "Hell, if anyone can get the source, then anyone can modify it. How do we know we aren't getting software modified by some malicious 'hacker' who wants to steal our sensitive data?" Another part of the reason is that many people with limited technical skills — and a dismaying number of supposed technology "experts" — simply don't understand that there's more to security than counting vulnerabilities. As Linux looms larger in the minds of IT professionals, its security circumstances will get a lot more attention, especially from organizations with a vested business interest in keeping open source software from gaining ground too quickly, such as those whose business models depend on keeping people in the dark regarding the truth about viruses. Over the course of the last year or two, executives who haven't previously noticed any Linux news, but who have become so inured to the regular reports of security problems with MS Windows that they don't even notice them any longer, have been struck by a growth in the frequency of Linux vulnerability reports appearing in news media. Lacking the understanding that what amounts to anecdotal evidence of Linux vulnerabilities doesn't mean Linux-based systems are all security challenged, they may develop the impression that Linux isn't up to the task of operating securely in the "real world". Because of this, and because to such people "Linux" and "open source software" are essentially synonymous, it can become very difficult to get approval for a security policy that involves deploying systems running open source software on the corporate network. Downward pressure on budgets in the face of the recession may help to change that, however. As more security is required with the expenditure of less money, open source software — deployable with significant savings over equivalent proprietary software offerings — will start to look more attractive. If your security can be improved by including an open source OS in your layered security strategy, now may be the time to start considering how to pitch a new proposal.
Emphasis on cost savings, and on the fact that security functionality will not be lost by selecting an open source solution over a proprietary, closed source solution from a major corporate vendor, will serve you well in such a case. Where your superiors have a knee-jerk negative reaction to the word "Linux", you may consider using a BSD Unix system instead, such as FreeBSD or OpenBSD; they are operating system names many such decision makers have never heard, and with which they won't have developed any negative associations. Calling them BSD Unix systems may scratch the risk aversion itch of many corporate executives, too.
Obviously, I can't reasonably tell everyone that they should leap at the chance to deploy open source OSes across their networks now. Each situation, each network, is different, and has different security and operational needs. In cases where executive reluctance has stood in the way of improving security policy by deploying open source tools, however, the fact that open source software doesn't impose any licensing or distribution monopoly costs can be the silver lining on a recession's dark cloud.