The security industry is rapidly maturing. Previously, security spending was a fixed percentage of a company’s IT budget and regarded as an obligatory tax, a cost of doing business (also known as “covering your ass”). Nowadays, companies are working towards concrete security benchmarks, dictated by external regulations (compliance) or internal risk assessments. Here are some tips for keeping security top of the agenda at minimum cost to your company.1. Agree an end-goal for the security efforts
Define the end-state of security that the organisation is striving for. CIOs are fearful of security being a bottomless spending pit, so use external compliance (such as PCI), internal control frameworks or perform a risk assessment to define the desired “end-state”.2. Perform some benchmarking in your industry
Attend local peer networking meetings to compare notes with fellow CISOs. Use third-party studies on adoption rates of certain technologies. Nothing works better than the knowledge that 80 per cent of companies in your industry have installed or are considering a particular technology. 3. Make risk real with concrete examples
Risk is an abstract concept. If you think “we have a five per cent chance of ending up on the front-page of the Financial Times” (in a bad way), that is not as powerful as checking out an article written up on a competitor that suffered a security breach.
4. Measure progress and success
There is no widespread agreement on which security metrics to use, but some great work was done recently by the Center for Internet Security. They published the CIS Security Metrics Guide (v. 1.0.0) featuring some examples of recommended metrics. These include: mean-time to incident discovery, incident rate, mean-time to recovery, mean-time between security incidents. Take a look.
5. Transfer security spending to other budgets
If all else fails, transfer security spending to another budget. Security efforts like log management and security change management can be justified as productivity enhancement tools for the network operations or system administration group.
6. Take a platform approach
John Pescatore at Gartner said this at the recent Gartner IT Security summit: “Take a platform approach. By 2010, only ten per cent of emerging security threats will require the deployment of a tactical, best-of breed solution, compared with 80 per cent in 2005.”
Expanding and optimising an existing solution is often cheaper than deploying a brand new one. You can leverage much of your existing investments and training and integration costs will be lower. This is good news in a difficult economy.
Related articles Ten tips on cutting IT security costs How to secure your business How to slash your operating costs
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.