The Solution: Know when to delegate. Many day-to-day tasks can be outsourced to an MSSP (managed security service provider), provided you do your homework and ensure the MSSP can offer 24x7 management and monitoring. Installing and configuring firewalls and deploying VPNs, for example, are prime candidates for outsourcing. As long as you have a view into the provider's configuration to ensure changes are made properly, you can safely shed some of your workload.

By outsourcing you'll not only free up time to focus on more important security issues, you'll gain additional benefits. Unless you're Superman, you can't do it all, nor can you be an expert in everything. Reputable outsourcing firms that focus on security can bring to bear some of the best talent and technology in the industry. Furthermore, multinational MSSPs, such as Symantec Real Time Managed Security Services (formerly Riptech) and Internet Security Systems, can detect new attacks early because of their broad view of traffic.

Although technology advances are valuable, without a road map you'll be deploying security products higgledy-piggledy. Security documents, like standards and acceptable-use policies, serve several functions critical to the management of your business. We know many of you have developed security policies and we know many of those security policies are gathering dust. And while there has been an increase in spending, the percentage of security dollars in most IT budgets remains relatively small, largely because security is seen as a cost. To argue for an increase in your budget, you must make it known that security functions support the business plan. That means keeping your security policy current and showing how it will support all other facets of your company's strategy.

Take a Risk

A key driver for increased security spending is risk management, which tries to mitigate overall risk, defined as "the probability that an organization will lose assets during a successful attack." Risk management entails a few tasks: First, determine the criticality of your assets. If a system is unavailable or if data is stolen, what will be the overall impact to the organization? Next, perform a risk assessment, examining your systems and operation policies to determine the likelihood of a successful attack. Then, define policies, implement procedures and deploy products to mitigate the risks you've discovered. By showing how you can protect business assets from loss, and what the potential loss could be, you will have a justification for increasing security spending.

Furthermore, your security policy may be used by external auditors to ensure that your business processes are run in a secure manner. Just like a financial audit examines profit, loss and the accounting methods used to calculate profit and loss, a security policy tells auditors what processes are in place and how your organization protects information assets. Regulations such as GLBA and HIPAA have privacy and protection requirements.