In 2007 I wrote an article which appeared in Credit Union Magazine, as well as the Credit Unions Security Association (CUNA) Council forums. Titled “Risk is Measurable,” the article describes using a quantitative approach leveraging Simple, Measurable, Attainable, Repeatable, & Timely (SMART) Key-Performance Indicators (KPIs).
A couple of years have gone by, and it is still only the more progressive security executives and custodians are leveraging KPIs to trend and mature their information security posture. Information is power. I recently read “IT Risk,”and would highly recommend it. The book takes a executive level approach to discussing, dissecting, and simplifying information security. With all the technical jargon we have within the security industry, it is quite a feat! I would highly recommend this book to any executive looking to get their arms around information security, or for upcoming security practitioners seeking an executive chair at some point in their career.]]>
All of your vendors and suppliers are talking about reducing Total Cost of Ownership (TCO) , and higher Return On Investment (ROI) in our current economic situation. Considering how budgets are being tightened and heightened scrutiny is on purchasing, you can’t blame them. While the dancing around the dollars continues many are simply repackaging their message. The below 5 steps will help you as a manager, leader, or executive in your organization to make prudent decisions on purchases.
1- Maximize Current Investments
When looking over an existing environment there are almost always ways to optimize, reduce cost, or minimize upcoming investments. Multiple-Interface firewalls, under-utilized consoles, and places where countermeasures can be utilized to fix existing risks are often already existing in the environment. I often find organizations not fully leveraging their firewalls and existing log consolidation opportunities. Architectural review of as-is and to-be is almost always a very valuable project when conducted by a non-biased third party.
Leasing is becoming another common option for many organizations. As organizations plan for 3-5 year refreshes on their IT assets, leasing is an appealing option. End-Users are provided leading technologies, and the organization gains better cash flow and Total Cost of Ownership (TCO).
I know many are of the opinion that Six Sigma, Lean Six-Sigma, Balanced Scorecards, Business Process Optimization (BPO), and the pile of other models, frameworks, and guidelines are a waste of time. I have to say, I was of this thought initially. After standing up a Security & Risk Management team I found them to be invaluable. By leveraging these practices/frameworks best-practices are documented, a clear “to-be” state is communicated, and experts have documented valuable insight the organization can use. In summary- they give guidance on how to harmonize remediation activities, and to “hack at the root” instead of “thrashing at the leaves.”
3- Use Platinum/Elite VARS For Maximum Discounts
Have an expensive piece of software that you intend to keep? Seek Value Added Resellers (VARs) who are of the highest-level partnership with the manufacturer. These manufacturers receive discounts small shops are unable to obtain- this generally due to the sales commitments they have with the manufacturer. A large VAR that sells products/services across many technology areas may be able to drive additional discounts by engaging in longer-term sourcing agreements.
4- Use Displacement SKUs
Looking at a technology that could replace, and potentially improve, existing infrastructure? You’ll find many vendors have Displacement SKUs they will use when competing. These SKUs are generally deeply discounted in order to gain market-share from the competition. Use these to your advantage during migration between vendors to gain additional price reductions.
5- Consolidate Technologies/Consoles
Today, many organizations have best-of-breed solutions throughout the organization. As vendors merge and technologies mature, many of these tools are being consolidated. There is significant benefits to consumers. Centralized consoles simplify administrative burden and can optimize incident response times, training overhead, and maintenance fees. By reducing the number of systems in the environment efficiency is gained. Administrators have a smaller number of systems to manage, and training requirements are reduced. Often the consolidation also provides additional benefits. For example, an Intrusion Detection System (IDS) when combined with a vulnerability management system allows the IDS to determine if an active attack will be successful against the environment- directly impacting the types of response that is required. By looking at your current environment, and comparing it to current technologies, the organization may be able to sustain, or improve, the organization while equally reducing cost or improving efficiency.
Make no mistake, there are many areas where cost-cutting is possible, and most likely prudent. Do not be misdirected towards additional purchases before you clean up what you have. While many budgets have diminished, optimization of the current infrastructure may yield additional dollars. I spend a significant amount of time with leadership focusing on such activities- at no cost. I look forward to continuing to gain trusted-advisor status with my customers by partnering with them, instead of pitching to them.]]>