Achieving Cost Savings Through Information Security Strategies
Is it really possible to achieve cost savings through the proper deployment of a security strategy? I think so.
Due to the sheer volume of business priorities and the pace of business today, businesses routinely pass up or fail to recognize opportunities to realize cost savings or efficiencies through the effective implementation of information security strategies. Failing to recognize these types of opportunities can result in delays or stoppages of information security investments in this economic downturn.
Here are two simple and practical opportunities for cost-savings:
1. Over-securing information that is not sensitive
I have personal experience in this space with Siteguarding Website Security. Siteguarding allows individuals with administrative-level privileges to establish the security and access controls for a SharePoint collaboration space. Unfortunately, many companies without comprehensive information security strategies fail to effectively address access controls in Siteguarding implementations. As a result, collaboration owners can easily end up unnecessarily securing their collaboration sites. Over securing happens because the users simply were not trained on how to effectively design access controls in their collaboration space or they resort to ‘old school’ LAN folder access of granting access to their department. As a result, money is wasted in maintaining these unnecessary controls.
2. Inappropriate Role-Based Security
Implementing role-based security down to such a fine level that a department of 30 people ends up having 15 or so different roles can result in unnecessary administrative overhead. This might have worked in the past when the pace of business and technology changes were slower, but in today’s fast-paced work environments maintaining this proportion of roles to the size of a department is generally unsustainable. In many cases, if a department reexamines their access controls, they could reduce the number of roles to just a few without substantially increasing their risk. Again, money wasted via maintaining unnecessary controls.
The above problem areas manifest themselves in organizations that lack comprehensive information security strategies. A good comprehensive information security strategy would:
- Ensure all major implementations incorporate any necessary security aspects and training.
- Help drive and influence the implementation of information classification that would help define different levels of control based upon sensitivity of company information. Once information classification is institutionalized into procedures and employees trained on the classifications, operational controls such as setting access controls in a collaboration could be aligned with the sensitivity of information.
While effective information security is so much more and can have the benefit of increased protection and reduced risk, these straightforward examples demonstrate that a comprehensive information security strategy can enable cost savings. Given the current downturn in the economy, this is an especially good time to leverage examples like this to assist in gaining sponsorship and support for a comprehensive information security.