|
|
|
Features
< Back
Sarbanes Oxley : Technology : Internal Controls
IT Compliance Budget Relief Strategies
7 Tips to Beat the Budget Crunch
By
Sara Gates
|
|
Sara Gates
Vice President of Strategy
Agiliance
|
It is time for IT to have its own relief plan. Caught between tough economic conditions, competitive pressures and mounting compliance demands, today’s IT faces a dilemma of its own epic proportion.
To remain resilient in this environment businesses must contain costs while continuing to drive innovation and optimize performance. This translates to IT executives doing more with limited (and in some cases, declining) resources.
According to a September 2008 survey of 947 Global IT decision-makers by Forrester Research, Inc. entitled “The State Of Enterprise IT Services: 2008”, 43 percent of respondents have already cut their IT budgets this year due to the global economic slowdown.
New regulations will certainly continue to grow in number and complexity as a result of the current global economic crisis. To date, there are more than 1,000 regulations in the U.S. alone – and Gartner predicts that by 2012, the number of regulations that directly affect IT will double. Given this, businesses often find themselves diverting precious staff time and operating budget away from growth supporting initiatives to reactive activities such as regulatory audits.
As a result, an increasing share of budget is being spent on ITsecurity. Industry experts predict that the percentage of IT operating budgets devoted to security is expected to increase in 2009 – despite tough economic times.
With this increased spending, many business leaders believe their current levels of investment in security and compliance may be out of balance. In the present threat-driven business climate, over-investing in compliance-related initiatives has the potential to hamper a company’s ability to invest elsewhere, such as delivering new products and services.
As pressures mount to control the bottomline and regulators become even more aggressive, IT success requires the right balance of belt tightening paired with strategic investments required to fuel growth.
How to Beat the Budget Crunch
Streamlining risk and compliance efforts can offer IT one of the greatest sources of budget relief. The new IT risk and compliance automation software solutions, (sometimes referred to as IT GRC) allow organizations to effectively manage information-technology assets, people and processes with respect to compliance. These solutions provide the means to consolidate and integrate the plethora of technical data and to systematically gather, classify and prioritize security-risk data across assets, operations and regulations, thereby improving risk mitigation and reducing costs by automating manual, error-prone processes.
To companies in need of relief from exorbitant compliance related costs, the following tips offer a way forward:
Budget Relief Tip #1
Perform an inventory of IT and security infrastructure assets. Companies with multiple business units and subsidiaries often end up with geographically disperse data centers and computing assets – making data collection and classification as required by regulations a time consuming challenge. New technologies can connect to scanners, SIM/SEM, directories, CMDBs, identity management systems and other network products to help companies efficiently aggregate and reconcile data from across diverse systems. Intelligent risk profiling can help IT automatically classify discovered assets and alert staff to inconsistencies or issues before auditors discover them. This frees up time spent on manual checking that is done today and also allows companies to focus on applying controls only to the most critical assets, leading to cost savings.
Budget Relief Tip #2
Automate collection of “tribal knowledge.” Often the best way to test a policy or control is to ask the people in an organization and collect their responses. Collecting, analyzing and reporting data can be a slow, complex, and error-prone process when relying upon paper-based surveys and manual data collection. Efficiencies can be gained by automating this collection process using auditable, automated, web based surveys that gather data (from department managers, process owners & system owners) and easily test responses against controls. Moving away from manual processes drives faster decision-making, more timely and cost-effective compliance, and provides the data for improved visibility across organizational boundaries.
Budget Relief Tip #3
Centralize policy management. Creating, distributing and managing IT policies may seem basic, but many large IT organizations spend excessive time and resources on this seemingly simple IT task. Today’s IT policy automation products can help businesses keep up with this monotonous task and cut costs by providing sample policies and templates based on industry best practices combined with automated workflows, end user acceptance and exception management. The use of policy campaigns is a powerful automation capability where the process of sending policy, insuring it has been read, and even quizzing employees helps improve the overall risk posture of a company while also streamlining a manual process.
Budget Relief Tip #4
Use technology to map compliance controls. Regulations are not specific when it comes to the exact IT controls necessary to satisfy compliance. As a result, one of the most difficult and time-consuming challenges for organizations becomes the translation of general statements of laws and regulations into specific and defensible controls for compliance. Manually mapping controls across regulations, standards and frameworks can be a full time job. This activity delivers little business value to the company beyond keeping it out of trouble with regulators. Today’s compliance solutions have already done the mapping. This allows companies to simply select the regulations, policies and standards that matter to them with a click of a mouse. Control testing then becomes automatic – enabling valuable resources to return to more strategic responsibilities.
Budget Relief Tip #5
Streamline control testing and remediation efforts. Regulatory compliance depends upon the continuous monitoring and enforcement of thousands of IT controls. Many organizations have problems detecting and addressing controls violations in a timely manner. IT Risk Management and Compliance automation technologies can help alleviate these issues by automating testing, correlating and communicating controls results to the owner(s) of the business risks. Integration with trouble ticketing and CMDBs can help expedite the remediation of controls violations following formal change management methodologies. This also allows tracking of remediation efforts from a single project dashboard.
Budget Relief Tip #6
Eliminate the process overlap. Large organizations typically must comply with multiple regulations each with independent processes, metrics, and audit procedures. There is a 50-70% overlap between regulations in the questions they pose to organizations. With the imposition of each new regulation, the common approach has been to simply add a new compliance team with a new mission and scope. The final result? Multiple teams asking the same questions, creating significant inefficiencies and process overlap. In this situation, redundant processes, policies and controls are common – and teams interpret the same risk data differently. Compliance automation tools can help to eliminate those redundancies, improve the consistency and quality of risk data, save time and reduce the demands on managers.
Budget Relief Tip #7
Focus on the most critical issues first. When companies depend on vulnerability logs and dashboard reports from multiple disparate security systems, it can be difficult to prioritize the criticality of control violations across a broad range of assets (processes, people and technology). The reliance on subjective opinions can make it difficult for business managers and executives to determine which issues are most critical and deserve scarce IT budget and resources – as a result businesses often overspend on compliance. Having a single analytic solution that correlates data about process, people and IT assets across regulations, frameworks, and controls can provide the intelligence needed to confidently prioritize criticality. This allows businesses to focus on the most critical issues first and avoid unnecessary spending.
By tying together the interdependent disciplines of IT risk and compliance, companies can establish more accountable and effective IT security and compliance functions - without the associated high costs and inefficiencies of disparate programs.
Companies in all sectors, particularly in the government, insurance, retail, healthcare, financial services and energy sectors, face unprecedented challenges in managing IT budgets as they are being pressured to reduce expenses without jeopardizing compliance. By automating controls and compliance processes, enterprises can literally save millions of dollars in hard costs.
Thriving in a Down Economy: Bonus Tips
IT risk and compliance management solutions can also help support the growth side of the equation by helping companies to more effectively leverage existing investments in security and by providing decision makers with the current and accurate intelligence they need to better understand how IT risk affects their entire organization.
IT Policy Compliance Group, from research conducted with more than 2,600 organizations around the world found that companies with the most mature IT governance, risk and compliance practices, performed on average, 13% to 17% higher in customer satisfaction, customer retention, revenue, profit and reduced expenses, than those with the least mature practices.
Bonus Tip #1
Develop a sustainable, continuous risk management and compliance infrastructure. Without a current and accurate view into IT risk and compliance status, companies expose themselves to greater risks for costly security breaches and audit failure. A persistent approach to IT risk management that tightly integrates the management of security, compliance and risk of IT systems can help companies avoid costly mistakes. A continuous compliance infrastructure creates a single system of record and a single source of truth for everyone involved in IT risk management – so everyone has the same consistent information. And it is always on, so that everyone has a current view of the company’s IT risk profile.
Bonus Tip #2
Be proactive. Rather than sustain spending on security and compliance for its own sake, fed up businesses are beginning to develop compliance and risk management processes to more effectively allocate IT resources and activities based on business objectives and acceptable levels of risk. Strategic investments in new IT risk management products can help support this process by providing current and accurate visibility into how IT risk affects the entire organization. With solutions that can normalize and combine risk from non-compliance with regulations and standards, IT security and system automation gaps as well as process related risk can be consolidated into a dashboard view that provide business managers and executives the intelligence they need to make more informed decisions with confidence and ease.
Improving the Bottomline
A realistic and well-executed IT risk and compliance program pays dividends in lower costs, reduced risk, consistent compliance, and even better morale. With better security, fewer audit failures, improved leverage of IT resources, faster decision-making, better optimization of existing business processes, companies will find themselves well positioned to gain relief from the current budget crunch and build a strong foundation for future growth initiatives.
Sara Gates
Vice President of Strategy
Agiliance
As Vice-President of Strategy for Agiliance, Sara is responsible for driving the company’s vision, industry thought leadership and overall marketing direction. Sara is an accomplished information security veteran respected for her “get it done” attitude and practical approach to solving IT’s most critical and timely challenges.
Prior to Agiliance, Sara was Vice-President of Identity Management at Sun Microsystems. Under her leadership, Sun achieved market leadership in the fast-growing identity management market. Sara came to Sun through the acquisition of Waveset Technologies, where she was responsible for driving product direction and strategy. Sara has previously held marketing and strategy positions at Transpoint (a Microsoft funded start-up) and Deloitte. She also serves as an advisor to early stage companies, including Securent (acquired by Cisco) and DreamJobs, Inc.
Sara holds a BBA from the University of Texas at Austin and an MBA from Vanderbilt University, where she recently served as the President of the Board of Directors.
|
|
|
|
|
