Many predict that 2008 will produce the tightest economic conditions since the dot-com bust at the beginning of the decade. The subprime meltdown and tightening credit markets mean most CIOs will feel the downward spiral of the economy right where it hurts—in their budgets.

Unfortunately, this also coincides with the most serious threat environment security professionals have yet faced. Hackers' tactics are becoming more targeted. Web applications are increasing in number and business importance, generating additional enterprise risk. Budgets may get tight, but the CIO's responsibility remains the same: focusing on how best to minimize risk.

Tighter budgets don't equal less attention for security. In fact, at times like these, that may be the biggest mistake. The highest levels of an organization are asking their CIOs, "How do we know we're secure?" The only way to know is by understanding the risks, the return on investment and how security not only fits into your other IT priorities but also adds to the company's bottom line. Defending the security budget is always a challenge, but here are four approaches that can help.  

1. Metrics make the most compelling argument. Is your security risk going up or down over time and what is affecting it? This is baseline data that every organization needs and should monitor. If you cannot answer this clearly, realign your projects and priorities to make sure you can get this information on an ongoing basis. Every CIO should know at least three things: How vulnerable are my systems, how safely configured are my systems and are we prioritizing the security of the highest value assets to the business? Though security metrics are in the early days of development and adoption, the industry is maturing and solid measurements are available. These areas can be assessed and assigned an objective numeric score, allowing you to set your company's own risk tolerance and use that to make critical decisions about where to allocate funds. As you face increased budget scrutiny, the metrics allow you to identify—and defend as necessary—where your security priorities are, and how security and risk fit into overall ROI.

Read the rest of this article on eWEEK.com.