Incident Response, TDR

Fast ways to cut costs

A recessionary funk is in the air, and if experience is any guide, IT, and consequently IT security, will be one of the first places CFOs and CEOs will look to slash budgets. With the business climate turning colder, IT organizations will be challenged by their managements to cut back IT spending while maintaining accustomed quality of service and security levels. Many executives are downright sadistic about cutbacks and need to see blood on the floor before they believe that IT has done its part in helping the company through choppy waters.

To save their jobs and (more optimistically) set the stage for promotion when the recession ends, IT managers must propose cost-cutting projects that offer unambiguous, short payback-time cost savings. Projects that promise indirect benefits expressed in IT jargon won't cut it. If you promise things like “higher levels of operational maturity,” “closer alignment with industry security best practices,” or “improved service availability,” prepare to be a nail rather than a hammer in the next round of budget cuts.

The following recommendations may not only extend your tenure at your current employer, they are unambiguously good for organizations that undertake them. They offer tangible and direct cost savings that even the most technologically challenged senior executive will understand.  Better yet, they don't call for hard sacrifices. Your organization will not only save money, but operate better when these measures go into effect. With this in mind, here are top three projects IT should focus on to improve security, increase IT productivity, and save the company some coin in 2008. 

1. Power management. Companies spend far too much on wasted energy, from server farms that do nothing late at night to desktops that hum away over the weekend or wee hours of the morning.  IT can exhort employees to enable power management features already on their machines, but voluntarism only goes so far. Also, many organizations want computers to remain powered up to enable their servicing during non-working hours.

The most advanced power management solutions are relatively inexpensive to deploy, enable administrators to wake up PCs to service them, and allow wide flexibility in setting and enforcing power management policies on defined groups of PCs.

The savings are direct—up to $50 per PC per year in reduced electric bills depending on the cost of power and the strength of power conservation measures. To sweeten the deal, a growing number of utility companies and governments offer one-time rebates of up to $15 per PC for installation and operation of qualified power management software.

Power management also has implications for security as a machine that is not or cannot become infected or be used as a point of compromise. Also, since power management will shut down computers on nights and weekends, it lowers the risk of pagers going off in the middle of the night to respond to a security incident. While it's nice to sleep peacefully, emergency responses can also generate expensive over-time work and rush charge premiums if you have to call in a vendor or service provider to get you out of a jam.

2. Software application management. Software application management (SAM) is the process of identifying installed applications, and then monitoring their usage (or lack thereof) to determine compliance with software licenses, adherence to corporate usage and security policies, and to assist during a license true-up or renewal negotiation. IT folks tend to think of SAM as a compliance exercise, but many more organizations under-utilize licenses than overuse them. In my experience, the typical organization probably spends 10-20 percent of its application budget on dead, outdated, or unnecessary application licenses. In some cases this accounts for nearly half of the entire security budget alone.

Pruning back underutilized software has security benefits as well. Fewer applications means fewer opportunities for compromises and configuration errors. Also, the process of inventorying and auditing software usage often paves the way for additional control disciplines that cut costs and boost asset productivity.

3. Infrastructure consolidation. What do all point solution vendors, and the majority of enterprise security products, have in common? They all add complexity, silo-ize staff knowledge bases, lack scalability and add management overheads. This translates to superfluous FTEs, heavy infrastructure costs, more opportunities for expensive errors, and possibly higher security risk.

Point solutions may be excellent in small doses but once they deploy at enterprise production scales, then troubles often arise. How much time does an IT staff waste finessing the redundancies and intricacies of the latest security widgets from Big Yellow, Little Red or a mini-mall of boutique vendors?

Demand more for less and turn to vendors who can consolidate otherwise discrete system management and security processes at acceptable quality of service levels. You'll save on license costs, reduced staff workloads, and improve productivity through deeper knowledge on how to use a consolidated tool set.

These are just some of the ways an IT organization can sweeten the bottom line, improve security, and increase operational efficiency while making friends with the CFO. And all of these benefits can be realized without mentioning the word compliance, spreading fear about the latest security breaches, or trying to explain what a root kit is to an MBA.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.