Ever since the arrival of the first anti-virus software in the mid-1980s, accountants have been battling with IT managers to control and quantify the efficiency of IT security software.

In recent times, with the provisions of the the Sarbanes-Oxley Act in the U.S. and the Companies Act 2006 in the U.K. uppermost in their minds, this battle has spilled over into the boardroom.

But how can anyone quantify the return on investment (ROI) from modern IT security software?

Judging from discussions that SC Magazine has had with a number of experts in researching this issue, the task is not an exact science.

What is an exact science, however, is the possibility of reducing the cost of implementing and maintaining an effective IT security system, without affecting its overall efficiency.

In simple accounting terms, this has the effect of improving the ROI of an organization's IT security system — since the overall costs are reduced — even if the ROI cannot be accurately calculated.

So, how do savvy IT managers go about reducing the costs of their organization's IT security system?

We put this question to representatives of several security vendors and analysts, and came up with 10 ways to cut the cost of IT security.

1 Educate your staff.
Well-educated staff are one of the easiest ways of protecting an organization from most IT security threats.

The IT department should make a point of training all new members of its staff in how to conduct business securely on the internet, in the office and at home.

Ed Rowley, technical consultant with Secure Computing, says that if training budgets are an issue for an organization, then the IT manager should consider introducing "lunch and learn" sessions organized by the IT department.

These sessions, says Rowley, can be quickly and easily organized by the IT support staff and, since they are benefiting staff in their lunch hours, no working time is lost, while the employee gains access to IT education to which they would otherwise not have access.

2 Utilize existing resources.
Most organizations will have spent money for tools that can help to keep the IT resources of the business secure. Many of these tools may have fallen into disuse, even though the licenses are still valid. IT staff should be encouraged to update and distribute these tools to all users.

Operating systems usually come with a large number of integral security measures, with the default setting being off. Switching these security measures on is a free way of adding extra protection.

This measure also applies to firewalls which, although often complex in nature, are able to protect a system from most unauthorized attacks.

According to research sponsored by IT auditing firm Tripwire, and carried out by the nonprofit IT group IT Process Institute (ITPI), many IT departments are failing to utilize existing resources effectively and are wasting too much time on unplanned work.

ITPI found that spending on IT compliance and IT control activities has increased significantly as Sarbanes-Oxley and other privacy and industry specific regulations have taken effect.

The study — downloadable from https://www.itpi.org — found that top performers had higher performance measures in key operational metrics such as 12 to 37 percent less unplanned work than medium and low performers.

3 Standards and procedures.
Management should ensure their organization has coherent policy in place for all departments. The procedures should seek to act pre-emptively, rather than responding to individual threats.

Rowley points out that it is the responsibility of the IT department to ensure that company policies on IT security are put in place.

Experts at Secure Computing say the release of CipherTrust IronMail 6.5 in June can help to automate this area of IT security, since IronMail now includes an Advanced Compliance Module.

This, the company claims in a statement, makes Secure Computing the first messaging security vendor to offer category-based compliance optimized to reduce the administrative burden associated with protecting company information.

4 Forward thinking.
Organizations should invest in IT security systems that can be scaled — or expanded — to meet their future requirements, as well as upgraded to maintain protection against the latest hybrid threats.

Opting for a well-known vendor in this regard can also allow a multi-year support scheme to be purchased, allowing the cost to be spread across several years.

Many vendors will cheerfully agree to a multi-year support contract at sensible rates, on the basis that they know the customer will stay with them for a known period of time.

This allows the vendor to spread the cost of customer installation and customer staff training costs over a multi-year period. This approach is a win-win situation for all concerned, as both the supplier and the client have the reassurance of a multi-year contract.

5 Tap into the resources of the internet.
A variety of web portals and vendor sites now offer free alerts to be sent out to registered email addresses, either on a regular basis or via a ListBot emailing service.

These alerts often act as free education service for all levels of IT staff, advising them of the latest threats and how they can be countered, often using public domain or low-cost applications.

6 Get what you pay for.
Ensure that your organization is getting what it requires from a support and maintenance contract.

Policies should be updated and IT management should seek advice from vendors if they are concerned that a product, whether hardware or software, is not operating at peak efficiency.

Rowley says that vendor support is inevitably intertwined with company security policies, which should be reviewed and updated regularly.

Ever since the arrival of the first anti-virus software in the mid-1980s, accountants have been battling with IT managers to control and quantify the efficiency of IT security software.

7. Encrypt, encrypt and encrypt.
Encryption is an under-utilized function in many networking and communications applications. The default setting is usually off, or uses a low-power encryption system to save on processing power.

Modern IT hardware has very powerful processing power, so IT managers should be quick to use this power to encrypt any data transfers, both across VPNs and the internet.

This philosophy was exemplified recently by Seagate's development of a full disk encryption technology that can be built into hard disk drives.

The DriveTrust technology, which will be seen in the company's new generation of drives — due for shipment in early 2007 — automatically encrypts all the data written to the disk, making it inaccessible to anyone unable to input the correct password when the host PC boots up.

According to Scott Shimomura, Seagate's senior product marketing manager, DriveTrust is another way of thinking about what the capabilities of a hard drive are, beyond just storage.

"The primary market right now is the mobile computing market, because there is so much sensitive data that is being stored on notebooks," he says, adding that Seagate views DriveTrust as a feature that can be used in all drives.

Seagate is pitching its encrypting hard disk as an alternative to full-disk encryption software from the likes of PointSec and PGP, as well as the BitLocker technology seen in high-end versions of Microsoft's new Vista operating system.

8 Encourage and support a no-blame culture.
Although we'd like to think otherwise, mistakes do happen in modern business, and IT systems are no exception. Staff should be encouraged to learn from their own mistakes, as well as the mistakes of others, and takes steps to ensure the same errors do not happen in the future.

Although the concept of a no-blame culture is seemingly at odds with the provisions of the Sarbanes-Oxley Act, an important provision of the act covers issues such as auditor independence, corporate governance and enhanced financial disclosure.

These provisions mandate the management of any U.S. organization and, increasingly, organizations that do business with U.S. companies, to ensure best practice in their IT and general business operations.

Encouraging a no-blame culture is viewed by many experts as a key foundation in establishing a best practice approach to all aspects of business operations, including IT security.

9 Internet access is different from network access.
While all employee workstations need access to the company network, not all employees need direct access to the internet. If internet access is not required, do not allocate it to the workstation.

Using this approach can save on software licenses, as well as reduce the direct risk to the users' applications.

10 Consider outsourcing of some security functions.
Outsourcing is a method of cost control since it offers a fixed-cost to a given IT security function, as well as access to a specialist's knowledge.

Email security is an obvious choice for outsourcing, as there are several companies offering managed email and email security facilities.

According to Mark Sunner, CTO with MessageLabs, email outsourcing also offers access to service level agreements — something which could not be achieved on an in-house basis.

"We have 100 percent guarantees on the amount of malware that gets past our servers. We've never let a piece of malware through, nor do we intend to do so," he says. n

From his base in Sheffield, England, Steve Gold has been a journalist specializing in IT security and communications for 22 years. Steve has also authored and co-authored several books, including the Hacker's Handbook, The Good Software Guide and The Good Hardware Guide.


Postini and BASF

Postini, which describes itself as an integrated message management company, claims to have helped BASF, the global chemical company in reducing its IT security costs while maintaining the efficiency of its IT security systems.

BASF's problem was its size — it currently employs around 81,000 people in more than 170 countries — and the fact that it wanted to have a global email address. This, says Postini, made it a high profile target for spam and virus attacks from malicious and financially motivated hackers of all types.

By taking a managed approach to its email service, Postini says that the Ludwigshafen, Germany-based firm was able to reduce the costs of protecting its email systems from attack, while actually increasing its level of security.

Brigitte Buchsrucker, senior specialist for IS architecture at BASF's Global Competence Center for Information Services, wanted to build a cost-effective, highly available and highly secure messaging infrastructure for the company.

Postini, she says, emerged as the provider due to the quality of its anti-spam and anti-virus protection service, the cost of providing the service and its ability to meet BASF's special routing requirements.

On average, Postini says it is now processing around 370,000 incoming messages a day for BASF — around 11 million a month — using its Perimeter Manager Enterprise systems.
While the spam reduction figures are not yet available, BASF says that its virus protection has been flawless and requires very little administrative effort, so saving on BASF's direct and indirect costs for its email services.
-Steve Gold