Well-intentioned IT security, compliance, and risk management professionals have long known that one of the most effective ways to attract budget dollars for security widgets is to modulate fear, uncertainty, and doubt to senior managers.
Few things make people pay more attention than fear of imprisonment or economic penalties assessed by courts or regulatory bodies.
Fear-factor funding campaigns are quickly losing their value as executives realise that many regulations can be ignored without consequences, that “end of days” malware has yet to manifest itself, and that a recent security breach only resulted in minor annoyance instead of the billion dollar losses someone, somewhere predicted. Fear-factor fundraisers run the risk of crying “Wolf!” one time too often.
In tough budgetary times, it is a mistake for security professionals to think scare stories will immunise the IT security budget from cuts. Security professionals need to change their act to promote programs and changes that cut the organisation’s overall cost of operation while reducing security risks.
Below are three cost-reduction projects that can improve security, increase operational efficiency, and upgrade service quality while saving significant money.
Companies spend far too much on wasted energy. Prime offenders include server farms that do nothing late at night and desktops left on over the weekend.
A number of software vendors offer tools to enforce power management settings, enable wake on LAN for maintenance and security configuration management activities during non-business hours, and generate reports to document bottom line savings.
You are probably thinking, “Doesn’t this mean I need to invest in more infrastructure and people to manage the effort?”
In many cases, no. Some of the organisation’s currently deployed systems management tools may already provide power management capabilities as part of their IT policy enforcement features. Here, power management is just another IT policy applied as needed across an infrastructure.
Power management also has implications for security. A machine that is turned off cannot become infected or become a point of compromise.
Rendering security configuration management less obtrusive to the end user makes it easier to execute necessary security-oriented changes (patches, vulnerability closures, policy moves, etc.) across an entire infrastructure without delay or pockets of (end-user) resistance.