Maximum Security Returns

Deborah Radcliff   Today’s Top Stories   or  Other Security Stories  

Gain a faster, cheaper way to manage workload Why SaaS is Vital to Email and Web Security Leverage Your Experience with Tivoli Storage Manager Surviving and Thriving in Tough Times Success Story: Maine Medical Center Demonstrating Return on Investment with Enterprise-Class Identity and Access Management Technology SaaS Solutions for Remote Systems Management Learn-Fast Guide: Software as a Service is Growing Up Mobility @ the Speed of Business Sign up to receive ROI Resource Alerts

July 15, 2002 (Computerworld) -- Like a lot of other security professionals these days, Mike Hager, security chief at OppenheimerFunds Distributor Inc. in New York, is under excruciating pressure to provide top-notch protection of data, ensure privacy and manage user access—all on a drum-tight budget. He also needs to justify all project costs and results to top management.

Knowing this, Hager says he doesn't try to sell a security project unless he can first explain its value in terms the business side understands. The best method is to show a reduced cost of administering security, which IT managers say is the only way to demonstrate return on security spending.

"Show me the money" is something of a new commandment for security professionals long accustomed to concerning themselves more with passwords than with payback projections. But fortunately, there are proven steps that security managers can take to get their networks and systems ready for future security investments that could yield a positive return. There's also a spate of new products aimed at reducing security overhead costs. Using the two together, there's hope for beleaguered security professionals seeking to quantify the positive results of their work and show where and how it adds value to the business.

1. Know your business. "You can get value from security programs if you map your technical measures to your business needs," says Steve Hunt, an analyst at Giga Information Group Inc. in Cambridge, Mass. But, he adds, "unfortunately, over 30% of all IT security spending is poorly focused and ineffective by best-practices criteria."
   

   
   Mail servers are a prime example, Hunt says. "If the mail server goes down, the response team goes to Defcon 5, the highest and most expensive security response," he explains. "But in many cases, the business manager says . . . 'Ho-hum, maybe now I can get some real work done.' "
   

   
   The lesson: Know what's critical to the business and adjust security accordingly. "If you've got systems that are really critical to a business process, [and] you know where your most proprietary secrets are, then you know where to prioritize [security] money and allocations," says Charles Neal, vice president of managed security services at Exodus, a Cable & Wireless Internet Services Inc. company in New York. "For other systems, it may not be a catastrophe if someone broke in, so you spend less."







2. Form alliances. Locating risk-sensitive data and systems also means building alliances with business managers. Motorola Inc. in Schaumburg, Ill., does this by placing an IT security officer in each of the company's six business units to represent the business requirements to the IT team and vice versa.
   

   
   "The job of our business unit security officers is to adapt, refine and deal with the implications that support the critical priorities of the business, while following our corporate policies and standards for enterprise-level technologies," says Chief Information Security Officer Bill Boni.







3. Set standards. By blending business requirements with best practices, the security team can establish rules-based security standards for operating systems and platforms. This way, IT organizations can better target security spending, including training dollars, for secure systems administration, says Boni.
   

   
   These operational standards should include specific instructions for where and what to patch, which services to disable or leave on, which operating systems to harden, which types of systems to allow on the network, and where to implement additional security capabilities, such as row-level encryption or public-key infrastructure.
   

   
   Standards-setting is especially important in mergers. "We're taking the best of policies and standards for each company and coming up with new policies, and then setting operational security standards as part of the autobuild procedures for each new system that gets deployed," says Pat Hymes, manager of corporate information security engineering at Wachovia Corp., a Charlotte, N.C.-based financial services firm that merged with First Union Corp. in September.







4. Bake-in security. Standardizing security rules can reduce the cost of providing secure configurations to other IT departments, Hymes notes, because it requires IT groups to "bake-in security in products and processes at the onset, rather than repair after the fact."
   

   
   In May, the Hoover Project, a research arm of @Stake Inc., a Cambridge, Mass.-based security company, released the results of a quantitative study that rated the cost savings of pre-engineered security against postdeployment security repairs. Forty-five homegrown and commercial applications were tested. "If you build in security during the design phase of your applications, you can reduce your risk by 80% and achieve rework savings of 21%," says Andrew Jaquith, Hoover's program director.







5. Assess, benchmark, and then count the savings. Knowing whether established standards are being met is where the process can become more technical. Consider Motorola's ambitious goal of aligning standard build features with audit compliance. Boni is automating this task with the help of a vulnerability scanning tool called FoundScan from Foundstone Inc. in Mission Viejo, Calif. Like many assessment tools, FoundScan reports on the state of security throughout the network and sends alerts when something falls out of specification.
   

   
   For benchmarking, the best type of assessment products or services would be those that adapt to the corporation's own security standards, send notification when corporate policy has been violated and provide audit reports that can be used to show security effectiveness. Corporate boards and regulators are beginning to require all three, according to Michael Ressler, director of security services at Predictive Systems Inc., a network security consulting company in New York.
   

   
   Since assessing the network manually with internal staff is financially prohibitive, the products are easily cost-justifiable. For example, John Shields, senior vice president of e-business at Patelco Credit Union in San Francisco, says IP360, a tool from nCircle Network Security Inc. in San Francisco, costs him $50,000 per year. That's $100,000 less than he would have spent on the manpower to do the same tasks. And Motorola is paying tens of thousands of dollars per year instead of millions for its perimeter assessments alone, says Boni.
   

   
   But technology doesn't fully gauge the effectiveness of policies as they pertain to people and processes. For this reason, Giga has launched an assessment service called the Security Action ReportCard, which is suitable only for large organizations. The Giga service goes beyond technical assessment programs to assess people and processes, compare them to industry best practices, and map security measures to business requirements to help achieve better cost-effectiveness.







6. Don't go it alone. There are many other vendor services coming to market to help IT managers reduce administrative overhead for current security processes. For example, managed security services provided by outsourcers are saving some midsize companies up to 80% of what it would cost to monitor security events in-house. New forms of middleware are also springing up to consolidate security report information from intrusion-detection, antivirus and firewall sensors to offer better response and correlation. And larger vendors, such as Cupertino, Calif.-based Symantec Corp., are cobbling together suites with central management interfaces.
   

   
   The bottom line: "The reality in business is budget," says Gartner Inc. analyst John Pescatore. And that goes for security as well.
   

   
   "Security has to help the company make more money by supporting business processes, instead of just preventing bad things that could happen," Pescatore says. "So good security officers usually have good security organizations, even if they're spending less than industry average."

Sensitivity Analysis ROI increases when security is designed into systems, rather than added later. FACTORS COST SAVINGS IN CONSTANT DOLLARS Fixing one additional moderatesecurity defect 123% Increased defect-fix efficiency (10% less effort) 47% Accelerated development cycle (10% faster) 8% Code quality (one additional security defect) 5% Shorter patch release periods (10% shorter) 3% Source: @Stake Inc., Cambridge, Mass.

Measuring ROI Costs savings increase the earlier security is addressed in the development cycle. PHASE COST SAVINGS Design 21% Implementation 15% Testing 12% Source: @Stake Inc., Cambridge, Mass.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

Maximum Security Returns

Getting the best bang for your security buck

"Yes, NASA has confirmed that some laptops taken to the International Space Station were infected with an online-gaming password stealing..." Read more... "Linux is more secure than most operating systems, but Not if you don't practice basic security measures..." Read more... Read more Security posts or See all Blogs

Microsoft warns of IE8 lock-in with XP SP3 Image Gallery: 'Fashion' PCs hit the catwalk Apple confirms iPhone security bug, promises patch Malware infects space station laptops Review: Internet Explorer 8 Beta 2 offers some nifty new features Sprint's WiMax service to include local features Veoh ruling bolsters YouTube effort to fend off $1 billion Viacom suit Update: Google may let users comment on, rearrange search results Air traffic network glitch cleared up -- for now As SSD factories explode, memory prices plummet More top stories...

Scented, other 'fashion' PCs hit the catwalk Steve Jobs' death greatly exaggerated; Bloomberg obit a mistake Target agrees to $6M settlement of accessibility lawsuit Microsoft reveals IE8 Beta 2 Trade body to hear Microsoft complaint against Taiwan company European court won't stop U.K. hacker's extradition to U.S. Panasonic and Sony tout plasma, LCD TV plans at IFA show iPhone gets two AT&T data plans for international travelers Microsoft Office Live Small Biz suffers outage, possibly lost e-mail McCain's online reach surges in days before Dem convention

15 great gadgets for the back-to-school crowd Here are 15 devices and add-ons that make the back-to-school computing experience extraordinary. The new employee connection: Social networking behind the firewall As Facebook-like apps infiltrate the enterprise, they're integrating the workforce in unforeseen ways. Build a three-screen workstation for $230 or less If you want to expand the visual capabilities of your laptop, you can add two monitors without spending a lot of time or money. The Asus Eee 1000 — more power, still portable The latest iteration of Asus' groundbreaking mini-notebook adds a faster CPU, a larger display and a better keyboard. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland Security Apple's iPhone Ask a Premier 100 IT Leader Bill Gates steps down BlackBerry Legal Battle Data Security Breaches Electronic Voting Firefox H-1B Visas HP's Boardroom Scandal Handheld Devices Hurricane Katrina Aftermath Microsoft Legal Issues Microsoft's Vista Open Source RFID Technology SCO's Linux Fight Sarbanes-Oxley Act Spam Voice Over IP Wi-Fi Windows Meta File Vulnerability Windows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class 2006 Computerworld Horizon Awards 2006 Premier 100 IT Leaders 2006 Salary Survey 2007 Best Places to Work in IT 2007 IT Forecast 2007 Premier 100 IT Leaders 40 Years of Computerworld ASPs, Take Two Best Places to Work in IT 2003 Best Places to Work in IT 2004 Best Places to Work in IT 2005 Best Places to Work in IT 2006 Business Intelligence Home Runs Business Intelligence: Smarter BI Business Intelligence: The Future of BI CRM Goes Vertical CRM: Sober CRM Career Planning Guide 2005 Careers: IT Profession 2010 Computerworld Horizon Awards 2005 Data Management: Mining for Gems Data Management: Taming Data Chaos Development: Hard-Workin' Web Sites Development: New Tools New Choices Development: The New World of Application Development Development: The Web Services Tsunami Development: Web Services Hurdles Disaster Recovery: Preparing for the Worst E-commerce Grows Up E-mail/Groupware: Big Decisions Faces of Mobile IT Forecast 2006 Global Mobile Hardware: Multiple Cores, Multiple Challenges Hardware: On-Demand Un-Hyped Hardware: The Shape of Things to Come Horizon Awards: 10 Cool Cutting Edge Technologies IT Management: Guide to Managing Vendors IT Management: Navigating Global IT IT Management: Recovery Ahead IT Management: The Future of IT IT Management: The Resourceful Project Manager Innovative Technology Awards 2004 Management: Reinventing IT Microsoft in Transition Mobile/Wireless Leaders and Laggards Mobile/Wireless: The Untethered Worker Mobile/Wireless: Tiny Gadgets, Huge Costs Network Management: Taking Control Networking: Turbulence Ahead! Networking: VoIP Goes Mainstream Operating Systems: In the Slow Lane Operating Systems: Linux Goes Global Operating Systems: Should You Nix Unix? Outsourcing: Offshore Buyer's Guide Outsourcing: Outsourcing Dangers Premier 100 IT Leaders 2004 Best in Class Premier 100 IT Leaders 2005 Best in Class ROI: Do the Math! Salary Survey 2003 Salary Survey 2004 Salary Survey 2005 Security Action Plan Security: Compliance Headaches Security: Proactive Security Security: Risk and Reward Security: Tips From Security Pros Souped-up Security Storage: Battling Complexity Storage: Cheap & Secure Data Stores Storage: Stretching Your Storage Dollars Storage: The Lean Storage Machine Storage: The New Rules of Storage Storage: The Ultimate Backup Guide Supply Chain: Missing Links Supply Chain: RFID Reality Check The Business of Security Web 2.0 Security Wireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone The File Data Management Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Business Intelligence and Analytics Zone Windows Protection Zone Identity & Security Management Zone See your link here

Deploying Windows Vista to the Desktop: Get It Right with Dell Get this paper now! (Source: Dell) Dell has improved PC deployment activities through patent-pending automation technology and offers an array of services from planning a Windows Vista migration to post-deployment management. Download this white paper  Google's Universal Search for Business Google's Universal Search for Business View this exclusive webcast, free, compliments of Google! Go to the webcast  Learn-Fast Guide: Software as a Service is Growing Up Download this Computerworld Executive Briefing, a $195 value, for free! Compliments of Akamai. (Source: Computerworld) SaaS is here to stay as an application delivery channel. You will be using it, but will you do so wisely? This Learn-Fast Guide will prepare you for software delivered over the Web. From security issues to contract negotiations, there's a lot to consider ... and a lot to gain. Download this executive briefing  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Dynamic Capacity Management for Virtualized Environments Five Technologies Simplifying Infrastructure Management Cut Data Center Energy Costs View m