Last week Andrew Plato offered advice on how managed services and outsourcing could help customers maintain their security during tough times. Below, Plato reviews other ways for security solution providers to help customers lower information security costs without reducing effectiveness.
Mind the gaps
Budget cuts often lead to a great deal of in-fighting in organizations. Dwindling resources will lead to turf battles over projects and technologies. For example, a large storage project, a new application and security improvements may all be fighting for the same pool of money. Managers may argue over which project is more important and deserves funding, but maintaining security vigilance is still critical, even in tough times.
This is another area or opportunity for service providers. Management may not understand the complexities of the projects. They may also not understand the risks that are prevalent if security efforts are ignored. Moreover, if security does not have the visibility with upper management that an application or infrastructure team does, then security projects may wind up on the cutting room floor.
This is where the advice of an independent, third-party analyst can empower the security team to make a stronger case for their projects. Management may listen to an outside consultant more than they would an insider.
A gap analysis of the organization's security posture that identifies security weaknesses as well as ways to correct those weaknesses can be extremely valuable to budget-battling managers. Such a report that defines and prioritizes security efforts can save projects and give security staff valuable ammunition to win those battles.
To some managers, it will seem counterintuitive to hire a consultant during budget cuts. However, if the service is priced right, if it clearly identifies the risks and rewards, and informs management, the value to a security team can be immeasurable.
Condense security operations
One of the latest trends in security is to condense multiple security functions into one common platform. Typically a multifunction device is less expensive and easier for smaller companies to manage. The most prevalent example of this is unified threat management (UTM) appliances, though endpoint security products are also starting to condense features such as antivirus, encryption and data loss prevention into single agents.
Unified platforms can offer numerous benefits over various point products, the most significant being much lower purchase price. Consider the following pricing example between a number of popular point network security products and a well-known UTM appliance:
|Point Solution||UTM Solution|
|Data Loss Prevention||$65,995.00|
It does not take much to see that UTM-type products can offer significant purchase price savings over point products, not to mention management efficiencies.
However, UTM devices have drawbacks. They can be a single point of failure for multiple services. Deploying high-availability clusters can resolve this drawback. Furthermore, UTMs tend to be less refined than their point-product competitors. For example, the IPS in a UTM appliance may not be as robust or flexible as a dedicated IPS appliance. However, from a practical perspective, many organizations do not need a top of the line solution. If a company is cutting the budget and cannot afford a top-of-the-line IPS, then a UTM is a reasonable compromise to get intrusion prevention in place.
Another overlooked aspect of IT that can suffer under budget cuts is vendor management. When times are good, prices may not be as important as convenience. With tightening budgets, IT managers are going to be under pressure to lower costs. As such, it is easy for companies to succumb to "price shopping" and go looking for the least-expensive product, regardless of what it is. This can result in hastily chosen, inexpensive technology implementations leading to expensive, drawn-out problems later. In many cases, companies with resource constraints need help avoiding this all-too-common pitfall.
Strong product and consulting partners are vital to the success of any IT department, but unfortunately budget cuts are a fact of business. Good solution providers must respect this and work with their customers to develop ways to meet budgetary restrictions.
<!--@POKE-->This is where a valuable service provider can step in to provide hard data balanced against the customer's fiscal realities. In many cases, some simple cost comparisons can illustrate circumstances in which a less expensive product will indeed provide most of the benefits of a more expensive one, and solution providers, with their experience with many different types of security products, are well positioned to provide this service. Building trust with customers this way is important because only with the understanding that comes from this trust can a solution provider offer products and services that really are in sync with the customers' businesses.
The key is to be mindful and respectful of budget realities. If a customer cannot afford a new solution, then hounding them over and over again to "see the light" is likely going to infuriate them. It would be better to understand their priorities, and try to help where it is reasonable. A well-placed show of sympathy can go a long way toward strengthening a relationship.
Hard times never last forever, and tough financial situations always improve with time. Organizations that understand the risks that resource reductions can bring are likely to weather hard times better than others. As a service provider, it's important to respond to market conditions and help customers with the products and services they need to maintain security vigilance and remain competitive, while keeping an eye on the bottom line.
About the author:
Andrew Plato, CISSP, CISM and QSA, is president and principal consultant at Anitian Enterprise Security. Andrew has over 20 years of experience in information systems, networking and computer security. Prior to running Anitian, he was a database developer and technical writer for Microsoft. From 1997-2000 he helped develop the BlackICE intrusion prevention system for NetworkICE Corp. which was later acquired by Internet Security Systems.