Reducing the cost of information security

Regardless of the type of business you’re in, the next couple of years are going to be tight. The impending recession will have an impact on everything and the pressure will be on to cut costs.

Information security costs are difficult enough to justify when things are gong well. Given the market place that we’re all about the enter, rest assured we’re going to have to become much smarter about the way we go about our business.

So, we need to be thinking about how to reduce information security costs while ensuring that we maintain sufficient controls against risk. There are some obvious things to be looking at such. For starters, we’re going to have to get better at haggling with vendors. Make them work for every single penny. Look for cheaper alternatives – don’t pay for the expensive brand name. A prime example is in the world of two-factor authentication. Look closely at the price of those expensive hard-tokens (and don’t forget support and management costs) then compare with some of the new players in the market offering other form factors. Look at the full feature list and every available option. Don’t end up paying for functionality you’re never going to need.

More fundamentally than that, you could also consider the question of whether you need to buy it at all. Take a risk based approach, do the assessment work, and look for alternative controls.

Do you really need gold-plated security? Remember, managing risk is all about taking it down to acceptable and manageable levels. Be pragmatic and able to justify every decision you make in relation to the business that you are in.

Look carefully at all the so-called essential devices you’ve been stuffing into the server room over the past few years. Ask yourself if the maintenance contracts really need to be renewed. In fact, do you need the device at all? Maybe the original purpose it was purchased for is no longer valid. Maybe there are some opportunities to consolidate services.

It’s time to make the most of what we’ve got. Most of all, this is the opportunity now to demonstrate more than ever that information security is aligned with the business. The challenges are going to be same as every other department being forced to slash costs, cut overheads, and keep the business afloat.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Being “aligned” with the business and reducing costs are tired terms and reflective of a reactive approach to managing information security. Instead, how about security being a business enabler and shifting (not necessarily reducing) security funding to activities that produce “high-value” information; that enables better operational decision making as well as IT funding decisions? Also, managing risk by “taking it down to acceptable and manageable levels” should be determined via the business decision-makers with input from the security / IT folks. Ignoring/assuming risk and transferring risk are also viable options for business decision makers and is very common.
Cancel

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close