Security ROI Is Not a Myth
Some IT organizations spend so much time and money running in place that they have nothing left in the reserves to move forward. But how do you get funding in a bad economy to make anything better when it costs so much just to keep up? The people making the decisions need you to explain it to them in terms they're familiar with -- in other words, how much money they'll save.
Have you heard the one about the beaver and the lumberjack? I remember it from when I was a kid:
A beaver sees a lumberjack working in the forest. The beaver says to the lumberjack, "How can you cut down in one day what would take me months? At this rate you'll clear the forest before I can finish my dam."
The lumberjack says, "My axe is sharper than your teeth. Come with me to town. I'll buy you an axe so you can cut as fast as me -- then I can clear the forest guilt-free knowing you have enough wood for your dam."
The beaver says, "No way! I'm way too far behind schedule to go to town now! It'll have to wait until I have more time."
So the beaver and the lumberjack go back to work. The lumberjack cuts more and more trees. The beaver tries to go faster and faster as he sees fewer trees and the forest thinning out. Eventually, the lumberjack clears the forest. The beaver, having no more trees to finish his dam, is forced to move and build a new dam from scratch.
A hard story for the beaver -- but one with a pretty clear message: Working hard at being inefficient is not a path to success. Sometimes the difference between success and failure is having the courage to walk away from the "busy work" and take the steps to make that process better.
It's a lesson that we in IT -- and particularly in security -- all too often fail to heed.
Are You the Beaver?
When it comes to information security in the majority of organizations, many of us fall right into the beaver's trap. There are areas in our organizations where we spend tremendous amounts of time and money keeping up -- we spend so much time and energy running in place that we have nothing left in the reserves to move forward. We're boxed in by our own inefficiency.
Don't believe me? Consider how most organizations approach user provisioning. It's possible that yours is one of the few organizations using an automated system to provision users to applications and networked systems. But if so, you're in the minority.
In most organizations, provisioning is still being done via a combination of manual and automated processes that span multiple departments, and involve numerous personnel and more moving parts than you can shake a stick at. It's a tightly choreographed process that can require dozens of hours (or more) from staff all over the firm. And keep in mind that those users have to leave someday, too. So we spend the time and money to put the users in -- and we spend it again to take them back out. Heaven forbid they switch departments in the meantime.
The larger the organization, the more resources to give user access to. In large firms or in sectors that have a high number of applications or a large number of user roles (e.g., healthcare and financial services), you're talking about potentially hundreds or thousands of applications and systems. In cases like that, something as "simple" as "go add a user" can be one of the most expensive maintenance aspects of IT -- by a fairly wide margin.
But spending money to change it? How do you get funding in a bad economy to make anything better when it costs so much just to keep up?
It's All in How You Spin It
Most of us probably realize that we have inefficiencies. We may have tried to push for improvements to some of our problem areas already. Maybe we've had success in some areas and met with the managerial equivalent of "talk to the hand" in others.
The tightening belt of the economy isn't helping; if asking for money was tough before, doing it now that profit margins are down isn't going to make it easier. The answer, in my opinion, is ROI -- return on investment.
Budgetary decision-makers aren't dumb -- but sometimes they don't have all the facts at their disposal to know which path is the beaver's and which path is the lumberjack's. It would be a pretty poor executive who would prefer to waste money on a broken process while competitors with better processes channel resources back into building a better business and improving the bottom line. But who can blame them when they don't know that's exactly what they're doing?
It's up to us to make clear which path means cost savings and which path means waste. We need to be clear and unambiguous, we need to explain it to them in language they understand (the numbers), and we need to be right -- to build credibility and to establish trust in us to do it again.
The First Few Steps
To do that, the first step is determining what the pain points actually are. Earlier, I used the example of provisioning because it's something that's almost universally not as efficient as it could be in every organization. But is provisioning really your No. 1 one problem? Maybe it's log management. Maybe vendor governance. It's going to vary from organization to organization.
The only way to find out is to do something that we as managers have trained ourselves not to do -- to go beyond the question of whether or not our staff accomplish a given task, and get to a broader understanding of how they do it. To cut waste, we need to know what they're doing now and what they might be able to do better. It's not micromanagement if we're just giving them another noncritical set of eyes to help make things better.
So, step 1: Find out what parts of your organization are least efficient. Map out what your processes currently are and what your staff are currently responsible for. Look for documents like a business impact analysis (BIA) that you might have completed as part of your business continuity planning -- a BIA is a goldmine because it will usually have a pretty complete description of who's doing what, where and how -- and other processes they interface with.
Step 2: Combine the data about the process with data about how long the process takes. If you have a ticketing or work-tracking system, look to leverage that to find out how long people are spending on doing things. Plotting those two sets of data against each other will clue you in to where the time sinks are. And once you have that, you have all the raw materials you need to approximate -- in quantifiable terms -- what your current processes cost in hard dollars.
If you can turn the conversation from "our current process is wasteful" to "we could save X million per year," you're much more likely to get the go-ahead to make change happen. The most important thing is to be specific, focused on the economics, and right about what you say. Being right the first few times establishes a history -- so the next few times you won't have to push so hard to unlock the purse strings.
Let's face it, the economy stinks. Begging for funding won't work. But strengthening the bottom line by cutting out waste? That's how heroes are made.
Ed Moyle is currently a manager with CTG's information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner of Security Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.