contents

business
 
Comsec Consulting Launches an IT Security Cost-Restructuring Approach

Comsec Consulting has announced the launch of an IT security cost-restructuring approach aimed at improving the cost-efficiency of information security solutions. In addition, Comsec has announced the availability of a supporting advisory paper providing the methodologies required to manage the cost of information security.

Over the last 20 years Comsec Consulting has developed a full set of information security services and within these engagements has improved clients' risk profile and remediated compliance issues. Recently, Comsec Consulting, drawing upon its proprietary in-house developed methodologies, has pulled together all of the best practices in information security and has formulated a new approach aimed at IT security restructuring, specifically to respond to the current financial climate. This methodology can lead to higher efficiency with potential cost savings in IT security, as well as maintain, and in some cases reduce the risk profile of the enterprise, through security simplification.

Stuart Okin, Managing Director, Comsec Consulting UK, says: "There are a number of studies which have estimated that spend on information security can range up to 15% of the IT budget, with additional costs hidden within the business. Early in 2008, analysts were still anticipating a growth of the IT security market of 29% in the US and Europe. However, due to the current economic climate, business priorities are shifting and areas such as spend on security may be under pressure, when in reality the threats may be on the increase. The methodologies behind Comsec's IT security cost-restructuring approach provide enterprises worldwide with the ability to restructure existing security programmes and operations and in some cases reduce IT security spend, without compromising the level of information security."

As described in the Advisory Paper, by using the Comsec Security Architecture it is possible to group the IT security restructuring into the following categories:
• Standardisation and Industrialisation – includes embedding the security into the enterprise, through standards, such as Security Development Lifecycle (SDLC), which will remove the threats earlier in IT projects and reduce re-coding costs. As Comsec has provided SDLC services directly to software product companies, as well as enterprises we have seen a one hundred fold increase in security cost-efficiency in comparison to relying purely on the testing phases.
• Consolidation and Optimisation of Security Controls – removing unnecessary security technology and improving processes. Each year new security technology and additional controls are layered on top of existing systems. However, these are often done without examining the change in the threat landscape, which results in potentially older redundant controls, e.g, consolidating firewalls and intrusion detection solutions, where externalisation has opened up ports making some of the network segmentation unnecessary.
• Utilising Security Features – utilising security features across other divisions of the business and capitalising on inbuilt software technologies, providing central management and ongoing cost reduction as well as increased security. Many features, such as those found in identity and access management can lead to cost savings in other parts of the business, e.g., if there is a single view on the user-base, better software license terms can be arranged.
• Simplification – simplifying the security environment can aid in cost containment and reduction and will also lead to a more secure enterprise. For example, simplifying training by combining SOX, ISO27001 and PCI IT security awareness will be both cost-efficient and actually more beneficial to the end users, as many of the messages in these disciplines overlap.
• Supplier Management – through consolidating suppliers of security services, cost reduction can easily be achieved through economy of scale, reduction of procurement costs and global pricing. For example, after gaining in depth knowledge of an enterprise application, security white box testing on incremental changes, rather than full penetration testing can reduce cost expenditure.

For a copy of the Advisory Paper, entitled 'Managing the Cost of Information Security' please visit this page.



write your comments about the article :: © 2009 Computing News :: home page