Security ROI, the white whale of the security industry, if only it were that easy but unfortunately security is, as they say, a cost-center (here). Securing funding for security initiatives is becoming as elusive as a break-out presidential candidate that can finally unite the country regardless of what agenda Fox News pushes on an unsuspecting middle America – fair and balanced is as fair and balanced does.
The problem (of funding security projects and not the failure of the American media) is only becoming exasperated as we enter a new year with recession fears looming high. In October of 2007 Gartner published a paper titled “Clients Should Prepare a ‘Recession Budget’ for 2008” in it they suggested that a recession would impact IT spending and IT organizations should be prepared to respond if a recession forces budget constraints in 2008. Since that report we have seen the world markets shaken (here), described as one of the worst days for stocks since the terror attacks of September 2001, and the fed responding by dropping rates to 3.5% (here)…
In a statement, the Fed said: “The committee took this action in view of a weakening of the economic outlook and increasing downside risks to growth. While strains in short-term funding markets have eased somewhat, broader financial market conditions have continued to deteriorate and credit has tightened further for some businesses and households.”
“Moreover,” the statement continued, “incoming information indicates a deepening of the housing contraction as well as some softening in labor markets.”
No question we are in for a rocky year which will require IT organizations, especially those focused on security, to turn to innovative funding arrangements if they hope to deploy new technologies or renew existing contracts.
What floats the CFO’s boat?
It is easy to think that well-intentioned IT security professionals or audit, security, and risk professionals will be able to drive budget dollars for security widgets through the use of fear, uncertainty, and doubt. Honestly nothing makes people pay more attention than the fear of imprisonment or economic penalties and we all know fear sells. Fear factor funding is quickly losing its value though as executives realize that there is little teeth to many of the regulations, that the impending “end of days” malware has yet to manifest itself and that a recent security breach only resulted in a short term blip on the PR radar as opposed to the billions of dollars of loss someone, somewhere said it would cost. There is also the problem of crying wolf. IT security can only scare dollars from the budget so many times, so it must be used judiciously, if at all.
As I and many others have mentioned IS must evolve and align itself with the business (here), which is easier said than done to be sure. This alignment requires an understanding of what drives business. Now here is the crazy part – almost all business is in the business of generating profit, increasing shareholder value and maximizing a return on investment, very few, if any organizations (aside from those three letter agencies) are in the business of being secure or compliant. Unfortunately IT, and security in particular, are abysmal at having business conversations with business people about the importance of security to the business.
The first step is changing the way we communicate, and the budget constraints in 2008 may just be the catalyst many need. If FUD, compliance and a general desire to improve security are not providing the monetary resources required to implement the necessary controls it is time to switch to speaking directly to the bottom line, note that the CFO really cares about the bottom line.
In terms of IT and security the CFO cares about expenses, assets, and labor. To date security has cost too much, required too many FTE’s and too much infrastructure to support, no doubt that this trend is driving a stake into the heart of the stand-alone, point solution security business but I will leave the “Death of Point Solutions” for another post. But since you cannot really make a claim of ROI for security, and generally you cannot really show cost-savings what can one do?
Well first recognize that an army of slick ERP and other enterprise application sales guys have been assaulting the CFO with amazing stories of how can their wares can save the organization millions and millions of dollars for decades so tread carefully here and resist the urge to tell the company how much money will be saved by implementing a DLP solution because it would help avoid the cost of a breach, which apparently is crescendoing at around $180/per record (yeah right – total BS). It is not cost avoidance he is concerned with, because in theory he can avoid those costs by not doing anything, or perhaps simply smoking a cigar and spitting some rum on a dead, headless chicken as he recites the incantation of business prosperity – avoid FUD.
During a recession a CFO needs to improve the bottom line and he needs to do it this year, not next year, or 2 years from now (well he needs to do that as well, but he needs to realize savings today). Generally this can be done (in IT) by cutting costs. Cost cutting will come in the form of decreased spend/lower budget allocation, service/contractor/consultant cancellations, and of course a reduction in force. Do more with less will be the motto, improve productivity and operational efficiencies will be the rallying cries. Loss of budget, staff, and projects will be the result.
Below are the top 3 projects IT should focus on to improve security, increase operational efficiency and save the company some coin.
#1 Power Management
Green IT is HOT! The reality is that companies spend far too much on wasted energy. Server farms that do nothing late at night to desktops that are left on over the weekend or when the user is off “working”. IT can enable power management settings but unfortunately users will just revert the settings. There are tools designed to enforce power management settings, enable wake on LAN for maintenance during off hours and provide the necessary reports to show savings to the bottom line. But there is more, many of the energy utilities are offering a one-time $15 per managed asset rebate with no cap – yes that means for every managed device (assuming it is managed by an approved vendor) the energy company will give you $15, so if you have 20k managed devices you will receive a check for $300,000 this is of course in addition to the annual savings and tax credits.
You are probably thinking, but wait doesn’t this mean I need to deploy more stuff, more infrastructure and hire more people to manage the effort – depends – some of the systems management tools you have deployed may already be able to provide this capability, assuming of course they can enforce IT policies, remember that power management is simply an instantiation of IT policy. BigFix for example (being the CTO you must have known I would have mentioned them) provides a power management solution that is recognized by many of the countries energy utilities, is listed as an energy star partner and can enforce power management settings in addition to other systems and security management functions that are provided through the same single console, single agent infrastructure – no need for additional equipment, people or processes to take advantage of power management.
Power management also has implications for security, most notably a machine that is not on cannot become infected or be used as a point of compromise and since the majority of folks who would notice such things are asleep during the wee hours you limit the probability of a security incident by simply not allowing the device to run during off-hours – this is actually huge, and anyone that has had to respond at 3 in the morning to an “attack” can certainly appreciate the implications here.
Power management is a win-win. The company recognizes a substantial rebate, significant cost savings, tax credits, and marketing of the new green IT initiative and security can sleep better at night knowing that a portion of their infrastructure is safe and sound in dreamland allowing them to focus on high-value assets that require 24/7 uptime.
#2 Software Application Management
Software application management is the process of identifying installed applications and then monitoring their usage (or lack thereof) to determine compliance with software licenses, adherence to corporate usage policies, and to assist during a license true-up or renewal negotiation. Security folks tend to think that SAM is a compliance exercise, but during my years at Gartner it became apparent that the majority of organizations were under-utilizing licenses as opposed to being out of compliance. The reasons are many but have to do with the lack of process for license reallocation, especially in response to employee turn-over, the lack of visibility into usage when many users request a license to something like Visio and then only use it once a year, if at all, not to mention the amount of applications that are acquired through non-traditional mechanisms or as part of development kits and then counted towards the overall license count. In many cases organizations may be spending 10-20% of their application budget on dead, outdated, or unnecessary application licenses. In some cases this accounts for nearly half of the entire security budget alone.
So what does SAM have to do with security? Simple – control the use of applications and lessen the attack vectors. A SAM initiative will result in cost-savings, especially during an audit – of which Gartner has predicted that 60% of organizations will undergo an audit from one of the major software vendors during 2008, hey Microsoft and Oracle have to eat as well you know – an organization will be able to definitively respond to a license true-up with accurate information on application usage and reallocate unused licenses or remove them altogether. Now as part of the SAM initiative security can slide into the process and define an acceptable set of applications that are allowed, as well as a set that are difficult to secure, offer limited value to the organization or are just down right insecure and should be removed all together. The first step in SAM is this definition, the second step is the visibility into the use of these applications in the environment and the third step is removing needless, non-compliant, or insecure applications.
This is another win-win – the organization saves significant coin, the security department instills some control discipline and rids itself of the crap, and IT gains much needed visibility into what is happening on the end-points.
#3 Infrastructure Consolidation
What do all point solution vendors, and the majority of enterprise security products have in common? Lack of scalability and lack of systems manageability, which equates to FTE’s and heavy infrastructure costs to the CFO – remember he doesn’t like that.
Point solutions are great at doing what they do on a small set of devices but once you deploy them into production then all hell, or in this case cost, breaks loose. If you are in management you will most likely have to look at your employees, and perhaps do a forced ranking, the discussion will be around cost-savings and a potential reduction in force. But how will you manage all that bloatware with the 3 FTE’s dedicated to administering the latest security widgets from big yellow or little red? Simple – don’t.
Demand more for less and turn to your preferred vendors for consolidation of functions with a critical evaluation criteria of systems manageability, scalability, and TCO. Do you really need 2-3 FTE’s just to administer your AV environment, not to mention the time and resources spent administering the administration infrastructure – hell no – that needs to be operationalized and administered by the same guy who provides desktop and operations support. Increased efficiency and improved systems manageability leads to improved security so say no to bloatware and crappy systems manageability in 2008 and the CFO will love you, maybe even enough to allow you to buy that really shiny new espresso machine you have been asking for.
These are just some of the ways an organization can address the bottom line, improve security and increase operational efficiency while making friends with the CFO. And all of these benefits an be realized without mentioning the word compliance, talking about the cost of a security breach or detailing the latest Windows Vista exploit.