How To Prepare an Austerity Program in IT Security Management


If you've got customers with exploding IT spending, increasing security breaches, and out of control costs, it's time to think about an austerity program.
As enterprises feel the strain on their balance sheets, reforms are increasingly needed. Here, Patrick Bedwell, vice president of products, Fortinet, discusses IT security rationalization.
—Jennifer D. Bosavage

Growing operational costs; squeezed budgets; more potent and varied Internet threats; the need for greater visibility and control − those are all symptoms of an IT security management system urgently needing an austerity program, in other words: IT Security Rationalization.

Many of today’s nations are under severe financial pressure to reduce public spending, redress fiscal deficits and ultimately relieve sovereign debt. In doing so, they are forced to impose unwelcome structural reforms to businesses and individuals alike. The term "austerity" embodies that situation.

Similarly, the eco-system of IT security is suffering under opposite pressures. What are these pressure points? How do they impact IT Security Management (ITSM) and business objectives? Answering those questions will help determine whether or not an austerity program in IT is already overdue.

Key Symptoms and ‘Eco-System Indicators

1. Growing Operational Costs
It is commonly accepted that ITSM operational costs grow ‘naturally,’ as control and protection mechanisms get layered on top of each other. Reality is that security equipment and related processes often remain in operations far longer than their sell-by-date and new ‘urgent’ IT requirements tend to get built on top of legacy infrastructure, thus layering on additional opex.

2. Squeezed Budgets
As enterprises feel the strain on their balance sheets, many departmental budgets come under scrutiny. Security is particularly vulnerable as it is still commonly perceived as a sunk expense rather than a business enabler.

3. Expanded Threat Profile
Security reports show a growing capability gap between the sophistication of data theft and defensive mechanisms and resilience strategies in place in the enterprise. In addition, with social media and Bring Your Own Device (BYOD) entering the workplace, corporate data is now accessed via a plethora of personal and often vulnerable platforms that IT is often not prepared or equipped to securely manage.

4. Predicting Growth Requirements
Moore’s law of CPU processing power evolution equally applies to storage, content delivery volume and network bandwidth. And with the transition to fibre and IPv6 addressing in corporate networks, IT must quickly adopt its security with high-performance solutions. Accurately mapping from business growth plans into IT and IT security is a difficult exercise, but it is a key metric of a well-managed IT system.

5. The Drive to Cloud
When costs grow too high, infrastructure too complex and skills too hard to find, the cloud may be seen as the get-out-of-jail option. However, cloud computing certainly isn’t a panacea for all IT evils and comes with its own challenges, particularly in terms of security provision.

6. Project Prioritization
As budgets tighten and skilled engineers become scarce, it becomes even more critical to be ruthlessly efficient with the resources at hand. IT security decision makers must focus on measurable projects where they can prove maximum benefit on security provision for their enterprise.

Austerity’s Three Pillars

The definition of a nation's austerity program can be based on three pillars. Let’s see how they apply to ITSM.

1. Raising Taxes
Countries often resort to raising taxes to help redress budget deficits. Most organizations simply don’t have that luxury: It is still rare to see IT security being run as an internal cost center charging out to operational units for its services.

2. Spending Cuts
Public spending cuts are typically the other instrument of austerity. The trick here is to cut budgets where there is excess rather than going after critical services. How to cut IT security expenditure without impacting the safety of the enterprise? This brings us onto the third pillar.

3. Efficiency Gains and Structural Reform
The most effective, but ultimately most difficult and longest way to offset spending cuts is to introduce efficiency gains. Those may demand parallel structural reform to squeeze more economic output from capital, equipment and labor. While this option is rife with unsavoury pitfalls for any government due to its long-term effect, it is the best one to pursue in ITSM.

The Manifesto for Painless ITSM Austerity: IT Security Rationalization

IT security professionals have the opportunity to achieve real efficiency gains and even structural reforms if the broader business strategy of their organization warrants it. Let’s review the components of an austerity program for IT security management, without the pain.

Enhancing IT Risk Management: Risk management has been part of business operations for some time. IT-related risks are generally treated as being operational in nature, driving business continuity and backup plans. However, the increasing impact of threats on enterprise business requires risk assessment of external threats to be incorporated into the enterprise risk management process. IT security risk management should thus include the definition of the main vulnerabilities of the organization against those threats and their prevalence and impact.

IT Security Asset Reassessment: The primary purpose of asset reassessment is to lessen the impact of constrained budgets towards operational costs.

The collection of disparate solutions deployed over time across the organization - such as those addressing firewall, antivirus, VPN, and more recently DDoS or IPv6 support - often imposes a disproportionate cost in operations and maintenance against the value they provide. An IT security asset reassessment looks to:
• Inventory these security assets and determine their specific function and value
• Determine current and three-year projected security provision needs and if the current assets will support these needs
• Evaluate the original solution cost, the projected annual costs of maintenance and operations, and compare these costs against newer generation products delivering the same function
• Determine annualized transition costs

Deploy Scalable Platforms: Because forecasting growth requirements is hard to achieve, IT organizations often compensate by over-sizing their requirements, which, of course, comes at a cost. It is more cost-effective to simply deploy a scalable platform − which can be upgraded without any major change in technology or skills requirements − from the start.

Rebalance the In-House vs. Cloud Equation: Cloud computing may be seen as a central tenet of austerity. However, the main issue preventing a widespread cloud takeover is security and with good reason. Consequently, a balance must be struck between the economic and operational advantages of the cloud and its lack of security and audit capability. Within an IT austerity program, the in-house vs. cloud equation needs to be rebalanced. In-house IT management for all but routine functions might prove to be a more secure and flexible option.

Technology Consolidation and Vendor Rationalization: Evaluation of a vendor should look at vision, technology and process—with an objective of austerity. Technology-wise, consolidating security functions onto one platform helps improve performance and manageability. Where those security functions cannot be deployed on a single appliance, then having a consistent user interface and workflow paradigm helps drive costs down. Add enterprisewide centralized management and reporting, and further operational savings can be gleaned.

In addition, security functions should cover all domains of IT, from fixed/wireless networks and assets to databases, Web applications and mail systems. Equally, they should enable the maximum number of core IT security management processes. Vendor rationalization aims at enabling the maximum number of domains and key ITSM processes from a minimum of technology vendors. To meet future requirements while keeping costs low, vendors and partners must also be able to properly implement and support an enterprise's global operations.

In conclusion, although the pressure on ITSM is yet to reach its apex, the key symptoms and ‘eco-system indicators’ of IT security are undoubtedly driving the need for implementing an IT security rationalization program today, in order to avoid the pain of austerity. This manifesto provides a way forward.