Information Technology departments often demand one of the largest annual budgets in the company, but where does the money go? We all know that IT budgets are spent on everything from resourcing and training to upgrading with latest technologies, but as Shareholders, Directors and Chief Information Officers (CIO’s) are we aware how much spending is devoted to securing e-business and critical information?
According to recent research, information security is now commanding 5% of the annual IT budget. The reason it has never been of a higher priority at board level is due to the rapidly changing business environment we work within. The widespread adoption of e-mail, the Internet and surrounding technologies has enabled access to a worldwide market of potential customers; international boundaries are shortened and the sharing of information and data has expedited many business processes.
Despite its benefits, this e-revolution has brought with it its own dark side. Hackers, malicious attacks from disgruntled employees, website defacement, spamming, denial of service attacks, Trojan Horses, viruses, bugs, worms are amongst a plethora of known security dangers that plague every business network on a 24×7 basis.
With The Department of Trade and Industry (DTI) reporting that the average cost of a security breach has increased 50% from 2 years ago in 2002, to Ј70,000 per organisation in 2004 and the government insisting that security be treated as top priority through legislation such as the Data Protection Act (1998), the Human Rights Act (1998), the Regulation of Investigatory Powers Act (2000) and more recently the Turnball Report, it’s little wonder why it has grabbed the Board’s attention.
With a clear knowledge gap among many IT professionals and security specialists demanding salaries in excess of Ј50,000, many organisations since the recent downturn in the economy have looked to outsource all or part of their IT security. The main benefits being to deliver improved value across the board and importantly increase profits. With lower investments being made in staff and contracts agreed up front, this becomes entirely feasible.
To date, the most popular areas that have been deployed to supplement in-house capabilities have been in the provision of security assessments, security policy and managed and monitored services.
Security Assessment is the process of actively evaluating an organisation’s information security measures. The service is invaluable in that it helps to ascertain an organisation’s system design weaknesses, technical flaws and vulnerabilities. It is imperative for assessing and quantifying risk and as a result plays a useful part in determining an organisation’s security strategy. The service can also be used as a way to test the capabilities and thoroughness of those internal staff responsible for certain aspects of security.
There are a number of ways an assessment can be undertaken, but the most common procedures involve penetration testing i.e. active analysis and testing of an organisation from either the perimeter or from the inside of an organisation, or both. Within these domains, network, wireless, telephony and remote access testing can occur, as can the specific testing of bespoke applications.
Whether a company wants to outsource all or part of its security assessment, the financial benefits of doing so are immediate. As security assessments and penetration tests are conducted periodically, organisations can choose whether to carry the staff overheads all year round, make staff cuts or simply allocate the resource elsewhere in the department. Organisations that make staff cuts don’t have to maintain specialist, emerging assessment and testing skills, instead they are just bought in. Providing a security assessment supplier is chosen astutely, a company can receive a better return on its IT security investment (ROSI) by being able to identify and resolve vulnerabilities and weaknesses in any of its systems and applications more quickly. For example, in software development, if security assessment is included earlier in the software development lifecycle an organisation can achieve faster delivery times and produce software that is less prone to vulnerabilities. IBM actually reported that the cost to fix an error found after product release was 4 to 5 times as much as one uncovered during design, and up to 100 times more than one identified in the design phase. And, irrespective of whether a company is development driven, further costs can be realised as damages to reputation from either compromise or negative publicity can be reduced.
Security policy involves formulating a well-rounded set of policies and procedures to enable an organisation to gain protection of its vital resources and support of its business needs at all levels of its organisation. Through documentation, education and review, an organisation can determine whether the rules governing its procedures, standards and guidelines on its information assets are adequate and being met.
In the case of security policy management, organisations are being encouraged to build security policy and processes into their business models. With guidelines such as BS7799/ISO17799 in place, the external consultant is increasingly relied upon as an independent source for the assurance of an organisation’s compliance. The benefits associated with outsourcing in this area of the business include better allocation of resource and greater assurance that risk thresholds are being identified, existing policies are in line with changes to systems, methods of business and IT strategies and also that operational documentation for compliance against appropriate standards (BS7799/ISO17799, DPA, ISO 2001 HIPAA, FSA etc). This in turn ensures greater confidence in terms of business and investment, and can help lower high insurance policies.
Managed and monitored services (MSS) are available for those organisations requiring high-level security availability. Normally implemented for firewall, content or intrusion detection systems, organisations are aware that even if they have addressed all the technical solutions within information security risk, they may still be exposed. In order to get the most from these products, the alerts and reports they generate need to be interpreted correctly, and the intrusion attempts identified in real-time from within the mass of statistics. Outsourcing managed and monitored services significantly reduces the common risks associated with mis-configuration and incorrect interpretations and subsequently compromise. With contracts agreed annually, managed and monitored services can trim down the costs associated with staffing, reduce on-going training and tools; and that´s before considering the initial capital outlay, maintenance costs, upgrades and insurance etc.
To conclude, whilst the quantifiable benefits of outsourcing are often difficult to measure for return on security (ROSI) purposes, organisations can gauge the benefits of outsourcing. As an immediate win there lies the opportunity to lower overheads; with lower staff investment organisations are able to reduce costs related to staffing issues such as salary, training, management, recruitment, administration, holiday, sickness and temporary cover. With staff sourced expediently through outsourcing, on an ‘as and when’ required project basis, the funds saved can then be either redeployed in other areas of the IT Department to improve efficiency or simply enjoyed as increased profits.
Outsourcing converts fixed costs into variable costs; it releases capital for investment elsewhere in the organisation and facilitates a way to avoid large expenditures. With capital costs controlled, outsourcing can therefore make an organisation more attractive to investors, since more capital can be directly pumped into revenue-producing activities.
Further gains can be made by buying in improved, supplementary security skills, as organisations can lower their risk exposures and obtain both added peace of mind and enhanced security. With reduced issues associated with compromise and with less likelihood for negative publicity, customer, shareholder and investor confidence will grow instantaneously and an organisation will be able to acquire a truly competitive advantage.