So far in this series we have discussed how to assess both the value of the information your company uses, and some potential losses should your data be stolen. The bad news is that security spending only mitigates some portion of the threats, but cannot eliminate them. While we would like our solutions to eradicate threats, it’s usually more complicated than that. Fortunately there is some good news, that being security spending commonly addresses other areas of need and has additional tangible benefits that should be factored into the overall evaluation. For example, the collection, analysis, and reporting capabilities built into most data security products – when used with a business processing perspective – supplement existing applications and systems in management, audit and analysis. Security investment can also be readily be leveraged to reduce compliance costs, improve systems management, efficiently analyze workflows, and gain a better understanding of how data is used and where it is located. In this post, we want make short mention of some of the positive & tangible aspects of security spending that you should consider. We will put this into the toolkit at the end of the series, but for now, we want to discuss cost savings and other benefits.
Reduced compliance/audit costs
Regulatory initiatives require that certain processes be monitored for policy conformance, as well as subsequent verification to ensure those policies and controls align appropriately with compliance guidelines. As most security products examine business processes for suspected misuse or security violations, there is considerable overlap with compliance controls. Certain provisions in the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX), and the Health Insurance Portability and Accountability Act (HIPPA) either call for security, process controls, or transactional auditing. While data security tools and products focus on security and appropriate use of information, policies can be structured to address compliance as well.
Let’s look at a couple ways security technologies assist with compliance:
- Access controls assist with separation of duties between operational, administrative, and auditing roles.
- Email security products provide with pretexting protection as required by GLBA.
- Activity Monitoring solutions perform transactional analysis, and with additional polices can provide process controls for end-of-period-adjustments (SOX) as well as address ‘safeguard’ requirements in GLBA.
- Security platforms separate the roles of data collection, data analysis, and policy enforcement, and can direct alerts to appropriate audiences outside security.
- Collection of audit logs, combined with automated filtering and encryption, address common data retention obligations.
- DLP, DRM, and encryption products assist in compliance with HIPAA and appropriate use of student records (FERPA).
- Filtering, analysis, and reporting help reduce audit costs by providing auditors with necessary information to quickly verify the efficacy and integrity of controls; gathering this information is typically an expensive portion of an audit.
- Auditing technologies provide a view into transactional activity, and establish the efficacy and appropriateness of controls.
Reduced TCO
Data security products collect information and events that have relevance beyond security. By design they provide a generic tool for the collection, analysis, and reporting of events that serve regulatory, industry, and business processing controls; automating much of the analysis and integrating with other knowledge management and response systems. As a result they can enhance existing IT systems in addition to their primary security functions. The total cost of ownership is reduced for both security and general IT systems, as the two reinforce each other – possibly without requiring additional staff. Let’s examine a few cases:
- Automating inspection of systems and controls on financial data reduces manual inspection by Internal Audit staff.
- Systems Management benefits from automating tedious inspection of information services, verifying that services are configured according to best practices; this can reduce breaches and system downtime, and ease the maintenance burden.
- Security controls can ensure business processes are followed and detect failure of operations, generating alerts in existing trouble ticketing systems.
Risk reduction
Your evaluation process focuses on determining if you can justify spending some amount of money on a certain product or to address a specific threat. That laser focus is great, but data security is an enterprise issue, so don’t lose sight of the big picture. Data security products overlap with general risk reduction, similar to the way these products reduce TCO and augment other compliance efforts. When compiling your list of tradeoffs, consider other areas of risk & reward as well.
- Assessment and penetration technologies discover vulnerabilities and reduce exposure; keeping data and applications safe helps protect networks and hosts.
- IT systems interconnect and share data. Stopping threats in one area of business processing can improve reliability and security in connected areas.
- Discovery helps analysts process and understand risk exposure by providing locating data, and recording how it is used throughout the enterprise, and ensuring compliance with usage policies.
Also keep in mind that we are providing a model to help you justify security expenditures, but that does not mean our goal is to promote security spending. Our approach is pragmatic, and if you can achieve the same result without additional security products to support your applications, we are all for that. In much the same way that security can reduce TCO, some products and platforms have security built in, thus avoiding the need for additional security expenditures. We recognize that data security choices typically are the last to be made, after deployment of the applications for business processing, and after infrastructure choices to support the business applications. But if your lucky enough to have built in tools, use them.
Comments