By Graeme Nash, Director of Strategic Sales Solutions, Fortinet
Graeme Nash
Mounting operational costs, squeezed budgets, more potent and varied Internet threats, and the need for greater visibility and control are all symptoms of an Information Technology (IT) security management system urgently needing an austerity program, in other words: IT Security Rationalization.
In Europe, many nations today are under severe financial pressure to reduce public spending, redress fiscal deficits, and ultimately relieve sovereign debt—all of which boil down to the term “austerity”. Likewise, the IT ecosystem is suffering under opposite pressures. What are these pressure points and how do they impact IT Security Management (ITSM) and business objectives? Answers to these will help determine whether or not an austerity program in IT is overdue.
It is commonly accepted that ITSM operational costs grow “naturally”, as control and protection mechanisms get layered on top of each other. The reality is that security equipment and related processes often remain in operation far longer than their sell-by-date, and new “urgent” IT requirements tend to get built on top of legacy infrastructure, thus adding on additional operating expense.
As enterprises feel the strain on their balance sheets, many departmental budgets come under scrutiny. Security is particularly vulnerable as it is still commonly perceived as a sunk expense rather than a business enabler.
However, security reports show a growing capability gap between the sophistication of data theft and defensive mechanisms and resilience strategies in place in the enterprise. In addition, with social media and BYOD (Bring Your Own Device) entering the workplace, corporate data are now accessed via a plethora of personal and often vulnerable platforms that IT is often not prepared or equipped to securely manage.
Moore’s law of CPU processing power evolution equally applies to storage, content delivery volume and network bandwidth. And with the transition to fiber and IPv6 addressing in corporate networks, IT must quickly adopt its security with high-performance solutions. Accurately mapping from business growth plans into IT and IT security is a difficult exercise, but it is a key metric of a well-managed IT system.
Soaring costs, increasingly complex infrastructure, and hard-to-find skills may make the cloud seem like the get-out-of-jail option. However, cloud computing certainly isn’t a cure-all, as it comes with its own challenges, particularly in terms of security provision. Moreover, as budgets tighten and skilled engineers become scarce, it becomes even more critical to be ruthlessly efficient with the resources at hand. IT security decision makers must focus on measurable projects where they can prove maximum benefit on security provision for their enterprise.
National austerity programs can be based on three pillars, which might well apply to ITSM. First, countries often resort to raising taxes to help redress budget deficits. Most organizations, on the other hand, simply don’t have that luxury. It is still rare to see IT security being run as an internal cost center charging out to operational units for its services.
Second, public spending cuts are typically the other instrument of austerity. The trick here is to cut budgets where there is excess rather than going after critical services. But how does one cut IT security expenditure without impacting the enterprise’s safety?
Hence, and third, the most effective, but ultimately most difficult and longest way to offset spending cuts, is to introduce efficiency gains. Those may demand parallel structural reform to squeeze more economic output from capital, equipment, and labor. While this option is rife with unpleasant downsides for any government due to its long-term effect, it is the best one to pursue in ITSM.
Graeme Nash, director of Strategic Solutions at Fortinet, says IT security professionals have the opportunity to achieve real efficiency gains and even structural reforms if the broader business strategy of their organization warrants it. “Risk management has been part of business operations for some time,” he says. “IT-related risks are generally treated as being operational in nature, driving business continuity and backup plans. However, the increasing impact of threats on enterprise business requires risk assessment of external threats to be incorporated into the enterprise risk management process. IT security risk management should thus include the definition of the main vulnerabilities of the organization against those threats and their prevalence and impact.”
Nash adds that the primary purpose of asset reassessment is to lessen the impact of constrained budgets toward operational costs. Disparate solutions deployed over time across the organization, such as such as those addressing firewall, antivirus, VPN and, more recently, DDoS or IPv6 support, often impose a disproportionate cost in operations and maintenance against the value they provide.
“An IT security asset reassessment should look to inventory these security assets and determine their specific function and value, determine current and three-year projected security provision needs—and if the current assets will support these needs, evaluate the original solution cost, the projected annual costs of maintenance and operations, and compare these costs against newer generation products delivering the same function, as well as determine annualized transition costs,” he says.
Because forecasting growth requirements is hard to achieve, IT organizations often compensate by over sizing their requirements, which, of course, comes at a cost. It is more cost-effective to simply deploy a scalable platform, which can be upgraded without any major change in technology or skills requirements, from the start.
Moreover, cloud computing may be seen as a central tenet of austerity, but the main issue preventing a widespread cloud takeover is security, and with good reason. “Consequently, there is a balance that needs to be struck between the economic and operational advantages of the cloud and its lack of security and audit capability,” Nash says. “Within an IT austerity program, the in-house versus cloud equation needs to be rebalanced. In-house IT management for all but routine functions might prove to be a more secure and flexible option.”
Evaluation of a vendor should look at vision, technology and process—with a view to austerity. Technology-wise, consolidating security functions into one platform helps improve performance and manageability. Where those security functions cannot be deployed on a single appliance, having a consistent user interface and workflow paradigm helps drive costs down. “Add enterprise-wide centralized management and reporting, and further operational savings can be gleaned,” Nash says.
In the end, even though the pressure on ITSM has yet to peak, the key symptoms and “eco-system indicators” of IT security are undoubtedly driving the need for implementing an IT security rationalization program today, in order to avoid the pain of austerity, according to Nash.
