It Budget Tips


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

It Budget Tips

  1. 1. B U D G E T RELIEF STRATEGIES 7 Tips to Beat the IT Compliance Budget Crunch Sara Gates, Vice-President of Strategy - Agiliance, Inc. ABSTRACT Caught between tough economic conditions, competitive pressures and escalating compliance requirements, CISOs and other risk and compliance professionals face a daunting dilemma. Successfully balancing today’s risk management, cost reduction and compliance equation can be a difficult feat – especially in these uncertain times. As security incidents and new regulations continue to grow in number and complexity, businesses often find themselves diverting precious staff time and operating budget away from growth supporting initiatives to reactive activities such as regulatory audits. With the crumbling of Wall Street, companies can expect the complexity and cost burden of compliance to grow exponentially as the government responds to current risk management inadequacies with an onslaught of new rules and regulations. As demands to control the bottom line increase and regulators become even more aggressive, over-investing in compliance-related programs can negatively impact a company’s ability to fund future growth initiatives. For businesses that want to break out of the current inflated threat and compliance-driven spending model to develop a more resilient and cost effective IT risk management process, this paper offers budget saving tips, ideas and solid practices for keeping up with compliance demands and more effectively allocating IT budget and resources based on business objectives.
  3. 3. BUDGET RELIEF STR AT E G I E S Executive Summary It is time for IT to have it’s own relief plan. As a result, an increasing share of budget is Caught between tough economic conditions, being spent on IT security. Industry experts competitive pressures and mounting predict that the percentage of IT operating compliance demands, today’s IT faces a budgets devoted to security will increase in dilemma of its own epic proportion. 2009 – despite tough economic times. To remain resilient in this environment With this increased spending, many business businesses must contain costs while leaders believe their current levels of continuing to drive innovation and optimize investment in security and compliance may performance. This translates to IT doing be out of balance. In the present threat- more with limited (and in some cases, driven business climate, over-investing declining) resources. in compliance-related initiatives has the potential to hamper a company’s ability to According to a new survey by Forrester invest elsewhere, such as delivering new Research, Inc.1 of nearly 950 senior IT products and services. managers across North America and Europe, more than 40 percent of large businesses As pressures mount to control the have cut their IT budgets this year due to bottom line and regulators become even the global economic slowdown. more aggressive, IT success requires the right balance of belt tightening paired New regulations will certainly continue to with strategic investments required to grow in number and complexity as a result of fuel growth. the current global economic crisis. Currently there are more than 1,000 regulations in the U.S. alone – and Gartner predicts that by 2012, the number of regulations that directly affect IT will double. As security incidents and new regulations continue to grow in number and complexity, businesses often find themselves diverting precious staff time and operating budget away from growth supporting initiatives to reactive activities such as regulatory audits. 1 Forrester Research, Inc.“The State Of Enterprise IT Services: 2008”, September 2008. 3
  4. 4. How to Beat the Budget Crunch Streamlining risk and compliance efforts SIM/SEM, directories, CMDBs, identity can offer IT one of the greatest sources management systems and other network of budget relief. The new IT risk and products to help companies efficiently compliance automation software solutions, aggregate and reconcile data from across (sometimes referred to as IT GRC) allow diverse systems. Intelligent risk profiling organizations to effectively manage can help IT automatically classify discovered information-technology assets, people assets and alert staff to inconsistencies or and processes with respect to risk and issues before auditors discover them. This compliance. These solutions provide frees up time spent on manual checking that the means to consolidate and integrate is done today and also allows companies to the plethora of technical data and to focus on applying controls only to the most systematically gather, classify and prioritize critical assets, leading to cost savings. security-risk data across assets, operations and regulations, thereby improving Budget Relief Tip 2 risk mitigation and reducing costs by Automate collection of “tribal automating manual, error-prone processes. knowledge.” Often the best way to test To companies in need of relief from a policy or control is to ask people in an exorbitant IT compliance related costs, organization and collect their responses. we offer the following 7 tips based on Collecting, analyzing and reporting data can Agiliance’s IT compliance automation be a slow, complex, and error-prone process and risk management expertise and when relying upon paper-based surveys and knowledge of industry best practices: manual data collection. Efficiencies can be gained by automating this collection process Budget Relief Tip 1 using auditable, web-based surveys that gather data (from department managers, Perform an inventory of IT and security process owners and system owners) and infrastructure assets. Companies with easily tests responses against controls. multiple business units and subsidiaries Moving away from manual processes drives often end up with geographically disperse faster decision-making, more timely and data centers and computing assets – making cost-effective compliance, and provides data collection and classification as required the data for improved visibility across by regulations a time consuming challenge. organizational boundaries. New technologies can connect to scanners, 4
  5. 5. BUDGET RELIEF STR AT E G I E S Budget Relief Tip 3 Management and Compliance automation technologies can help alleviate these issues Use technology to map compliance by automating testing, correlating and controls. Regulations are not specific when communicating controls results to the it comes to the exact IT controls necessary owner(s) of the business risks. Integration to satisfy compliance. As a result, one of with trouble ticketing and CMDBs can the most difficult and time-consuming help expedite the remediation of controls challenges for organizations becomes the violations following formal change translation of general statements of laws management methodologies. This also and regulations into specific and defensible allows tracking of remediation efforts controls for compliance. Manually mapping from a single project dashboard. controls across regulations, standards and frameworks can be a full time job. This Budget Relief Tip 5 activity delivers little business value to the company beyond keeping it out of trouble Eliminate the process overlap. Large with regulators. Today’s compliance solutions organizations typically must comply with have already done the mapping. This allows multiple regulations each with independent companies to simply select the regulations, processes, metrics, and audit procedures. policies and standards that matter to them There is a 50-70% overlap between with a click of a mouse. Control testing regulations in the questions they pose to then becomes automatic – enabling organizations. With the imposition of each valuable resources to return to more new regulation, the common approach strategic responsibilities. has been to simply add a new compliance team with a new mission and scope. The Budget Relief Tip 4 final result? Multiple teams asking the same questions, creating significant inefficiencies Streamline control testing and and process overlap. In this situation, remediation efforts. Regulatory redundant processes, policies and controls compliance depends upon the continuous are common – and teams interpret the monitoring and enforcement of thousands same risk data differently. Compliance of IT controls. Many organizations have automation tools can help to eliminate those problems detecting and addressing controls redundancies, improve the consistency and violations in a timely manner. IT Risk 5
  6. 6. quality of risk data, save time and reduce Budget Relief Tip 7 the demands on managers by allowing Develop a sustainable, continuous companies to “test-once, comply to many.” risk management and compliance Budget Relief Tip 6 infrastructure. Without a current and accurate view into IT risk and compliance Focus on the most critical issues first. status, companies expose themselves to When companies depend on vulnerability greater risks for costly security breaches logs and dashboard reports from multiple and audit failure. A persistent approach to disparate security systems, it can be difficult IT risk management that tightly integrates to prioritize the criticality of control violations the management of security, compliance across a broad range of assets (processes, and risk of IT systems can help companies people and technology). The reliance on avoid costly mistakes. A continuous subjective opinions can make it difficult compliance infrastructure creates a single for business managers and executives to system of record and a single source determine which issues are most critical of truth for everyone involved in risk and deserve scarce IT budget and resources management – so everyone has the same – as a result businesses often overspend on consistent information. And it is always on, compliance. Having a single analytic solution so that everyone has a current view of the that correlates data about process, people company’s IT risk profile. and IT assets across regulations, frameworks, and controls can provide the intelligence By tying together the interdependent needed to confidently prioritize criticality. disciplines of IT risk and compliance, This allows businesses to focus on the companies can establish more accountable most critical issues first and avoid and effective IT security and compliance unnecessary spending. functions – without the associated high costs and inefficiencies of disparate programs. 6
  7. 7. BUDGET RELIEF STR AT E G I E S The Secret to Thriving in Chaos Be proactive. Act Intelligently. The current for its own sake, strategic investments in U.S. financial crisis exists because of a failure new IT risk management products can help in risk management. While the crumbling companies evolve their risk management of Wall Street is in the hot seat now – no processes by providing current and accurate industry is immune. Risk management can visibility into how IT risk affects the entire be poorly executed in all disciplines. Failures organization. With solutions that can in risk management are also to blame for normalize and combine risk from non- the personal information disclosure crisis compliance with regulations and standards, and malware crisis. Crises emerge in part IT security and system automation gaps because executives don’t understand their as well as process related risk can be risks and risk managers don’t know how to consolidated into a dashboard view that talk to executives about risk. provides business managers and executives the intelligence they need to make more Companies can expect the government will informed decisions with confidence and ease. intervene and attempt to fix the current risk management failures with an onslaught In this manner, IT risk and compliance of new rules and regulations – further management solutions can support the adding to the complexity and cost burden growth side of the equation by helping of compliance without necessarily fixing the core risk issues. Companies A Performance Driven Risk Management Lifecycle have two choices (1) continue to Access, Monitor & Mitigate Risk increase the proportion of IT budget spent on compliance as regulations Business Requirements Remediation grow, or (2) develop compliance and risk management processes to Risks Generate Policies & Test Controls Controls Define Controls more effectively allocate IT resources and activities based on business Industry Regulations & objectives and acceptable levels Best Practices of risk. Monitor & Identify Requirements Set Policies & Create Controls Remediate Controls For businesses that are fed up with spending on security and compliance 7
  8. 8. companies to more effectively leverage from the current threat and compliance- existing investments in security and by driven business climate to a performance providing decision makers with the current and risk-driven business process will be more and accurate intelligence they need to resilient when new regulations are enacted better understand how IT risk affects their and better positioned for success when the entire organization. economy rebounds. IT Policy Compliance Group2, from Forward-thinking companies can expect research conducted with more than 2,600 a realistic and well-executed IT risk and organizations around the world, found compliance program will pay dividends that companies with the most mature IT in lower costs, reduced risk, consistent governance, risk and compliance practices, compliance, and even better morale. performed on average, 13% to 17% higher With better security, lower audit burden, in customer satisfaction, customer retention, improved leverage of IT resources, faster revenue, profit and reduced expenses, than decision-making and better optimization those with the least mature practices. of existing business processes, companies will find themselves well positioned to In every down economy there are gain relief from the current budget crunch opportunities to excel while others stand and build a strong foundation for future still. Companies who make the transition growth initiatives. “Agiliance is leading the charge to provide companies in the medical field with the proactive and practical tools needed to ensure that security investments and compliance controls directly support their business objectives. ” – Kristen Knight Director Privacy Compliance at Philips 2, 2008 Annual Report on IT Governance, Risk, and Compliance: Improving business 8 results and mitigating financial risk, May 2008.
  9. 9. BUDGET RELIEF STR AT E G I E S Agiliance Risk and Compliance Solutions Our customers, particularly in the and compliance efforts including reduced government, insurance, retail, healthcare, audit burden, increased visibility into current financial services and energy sectors, face compliance and risk status, and improved unprecedented challenges in managing leverage of IT resources. IT budgets as they are being pressured to reduce expenses Agiliance Intelligent Risk Management System without jeopardizing compliance. By automating controls and compliance Process Roles Based Data Dashboard processes, enterprises can literally save millions of dollars in hard costs. Risk Management Pre-defined Agiliance offers highly-automated System Database and Custom IT risk and compliance management Data (RMDB) Reports software products designed to help organizations thrive in the face People Remediation Data Process of mounting pressures to manage Common Control Framework and balance risk, compliance and IT Regulations, Standards, Frameworks and Policies budgets. By leveraging the power of Risk Intelligence Engine Agiliance software, businesses can Agiliance Connector make impressive gains in their IT risk Architecture “Not only did the Agiliance solution alleviate some immediate pain through automation of the seemingly never-ending list of compliance assessments, I believe it will ultimately help us implement a proactive and cost effective risk management strategy. ” – Shane Fuller Information Security & Compliance Manager RSA Insurance 9
  10. 10. Agiliance Solution Benefits To deliver customers the highest return on investment (ROI), Agiliance enables companies to aggregate and correlate risk data from systems, applications, people and processes into a single repository from which controls can be automatically assigned and monitored across the widest set of regulations and standards. In addition, we provide customers with the comprehensive IT risk management system they need to keep pace with the expanding requirements of IT compliance and operate at their highest level of performance. These capabilities allow enterprises to dramatically lower the cost of compliance and internal audits by as much as 70% to 80%. MARKET NEEDS AGILIANCE SOLUTION BENEFITS Automate collection of Agiliance software connects out-of-the-box with a wide people, process, and range of IT and security infrastructure and enables extensive system control data web-based self-assessments with the ability to import findings. In addition, automated workflow provides repeatable assessment processes. There is no need for custom development – Agiliance automatically aggregates and correlates data across systems, people and processes. Automatically map Controls are pre-mapped across a wide range of regulations, controls from multiple standards and frameworks, including SOX, HIPAA, PCI, CobiT, regulations, standards ISO 17799, FFIEC, FISMA, NERC, GLBA, SB 1386 and more. and frameworks With the ability to select multiple regulations, policies, security threats and frameworks with a click of a mouse, customer are ready to test controls in a matter of minutes instead of days or weeks as required with manual mapping exercises. And as regulations inevitably evolve or new assets get added, the Agiliance solution automatically updates controls to reflect the changes. 10
  11. 11. BUDGET RELIEF STR AT E G I E S Test controls and Agiliance’s hallmark “test-once, comply-many” capability eliminate process eliminates duplicate testing across multiple regulations redundancies and speeds up the time to compliance. Using Agiliance’s built-in Common Control Framework – containing over 10,000 controls across authoritative sources such as ISO 17799, ISO 27001/27002, NIST SP800, SOX, HIPAA, GLBA, FFIEC, PCI and many more – companies can test controls across all applicable regulations. Where redundancies exist, customers can test the common control one time to satisfy the requirements of multiple regulations. This eliminates the time and cost associated with duplicate tests. Remediation and Agiliance automatically prioritizes IT assets such as servers, exception applications and network devices that need to be monitored management for risk so that the most critical assets can be addressed first, e.g., those containing personal identification information, medical records or credit card information. Managers can immediately view the cost of downtime, the impact of various risk mitigation plans, the cost of replacing the asset and make real-time decisions about remediation versus accepting or transferring the risk. Automated ticketing insures mitigation processes are handled. Using this intelligence, decision makers can be confident that budget is being wisely allocated towards the most critical assets eliminating overspending on shotgun approaches that may add unwarranted controls across the entire IT environment. Complete visibility Agiliance software provides decision makers with the into current current and accurate risk intelligence they need to better compliance & risk understand how IT risk affects their entire organization. status Role-based dashboards and pre-configured report templates provide tailored views. Reports can be delivered to executives, managers or security analysts, with details by division, regulation, business process, or a host of other customizable views. Companies can rely on Agiliance to deliver continuous monitoring of risk and compliance across the enterprise – in the way that makes sense to them. 11
  12. 12. BUDGET RELIEF STR AT E G I E S Why Agiliance? As the costs and complexity of IT risk and Agiliance is the only solution in the market compliance continues to rise, Agiliance that features a unified Risk Management believes that customers need practical Database (RMDB) that contains regulations, solutions that are highly configurable, easy best practice frameworks, and standards to integrate, and interoperate with the while maintaining risk and compliance widest range of popular security and IT scores over time – serving as a single system infrastructure systems. Our unsurpassed of record for approval and maintenance of expertise in the interdependent disciplines corporate policies. In addition, Agiliance of IT security, compliance, and risk, allows customers to incorporate external combined with our security automation global feeds containing threat and and enterprise software acumen allows vulnerability information to deliver the us to deliver the integrated capabilities most comprehensive view of risk across the customers need to mitigate risks and enterprise. With the inclusion of information execute on forward thinking plans from human e-Survey processes the system with ease and confidence. delivers an enterprise-wide view of risk. “We’re working with Agiliance because their product met our key criteria which include easy integration with our company’s existing applications. ” – Oliver Eckel Head of Corporate Security bwin Interactive Entertainment AG ABOUT AGILIANCE Agiliance offers highly-automated IT risk and compliance management software products designed to help organizations thrive in the face of mounting pressures to manage and balance risk, compliance and IT budgets. Fortune 1000 companies in the financial, healthcare, energy, government and technology industries are leveraging the power of Agiliance software to cut compliance costs and to provide decision makers with the current and accurate intelligence they need to better understand how IT risk affects their entire organization. Agiliance is headquartered in San Jose, California and is backed by Walden International, Intel Capital, SVIC, Red Rock Ventures and Castile Ventures. For more information, please visit Agiliance, Inc. 1732 North First Street p: 408.200.0400 Suite 200 f: 408.200.0401 12 San Jose, CA 95112 © Agiliance, Inc.