IT Security Investments With Staying Power

In today’s economic environment, the last thing a CIO wants to hear is that the IT security product his or her organization purchased last year isn’t going to make the cut moving forward. Sometimes the product simply doesn’t work with existing infrastructure or doesn’t integrate well with established business processes. In other cases, new risks or threats emerge that weren’t planned for when the initial investment was made — or newly available solutions offer a significant advantage.

Whatever the reason, it may become necessary for an IT organization to overhaul its security strategy in order to better align its business operations with its threat-mitigation requirements.

Mobile end-user devices, which often carry sensitive customer data or proprietary company information, represent a rapidly growing threat vector. C-level executives increasingly recognize the challenge posed by this data exposure risk, especially when coupled with the emergence of strict government regulations with stiff penalties for noncompliance.

Justifying Expenditures

The recently enacted Massachusetts privacy legislation and the 2009 HITECH Act — with the modifications it makes to HIPAA privacy rules — are two examples of the myriad state, federal and industry regulations that organizations must adhere to or risk fines, public notifications and other consequences.

Adding to the challenge, IT administrators must respond to these risks by providing comprehensive data protection — without introducing unmanageable administrative complexity. Consequently, one of the primary questions facing today’s CIOs and CISOs is how to ensure that their IT investments will have staying power.

In the current economic environment, justifying IT budget expenditures requires a return on investment (ROI) that is both compelling and measurable. In most cases, this represents a gating factor in getting any purchase approved. If you cannot show that a solution will quickly pay for itself or squeeze additional mileage out of an existing infrastructure, then it is hard to justify the purchase.

The solutions comprising today’s IT security landscape take one of two forms: proprietary technologies and systems or standards-based approaches.

Proprietary Solutions

Proprietary solutions typically require organizations to deploy the vendor’s back-end systems, reporting tools and management consoles. This approach works for some organizations, but for many it results in an excessive total cost-of-ownership burden that far exceeds the benefits. This is primarily because the additional operational costs associated with proprietary systems are commonly driven by the specialized skills required to maintain them.

A solution built on proprietary technologies can also have the undesired effect of locking the organization into a relationship with one primary vendor, potentially leading to costly product upgrades. Worse still, the organization may end up having to replace the vendor and essentially start over from scratch.

Standards-Based Approaches

A more prudent choice for ensuring the longevity of an IT investment is to select solutions based on de facto standards-based technologies. The security software vendor community has matured, and best-in-class suppliers can provide offerings that allow organizations to easily leverage the significant investments already made in existing infrastructure and business processes.

These solutions are built on generally accepted industry standards for enterprise software architecture, technologies and systems design, as well as for infrastructure deployment and management.

In addition, standards-based IT security solutions play a critical role in ensuring that an organization can control operational costs. New threats are constantly emerging, and it is imperative that new solutions are able to adapt and expand. The self-encrypting drives being developed by hard drive manufacturers to the Trusted Computing Group’s (TCG) OPAL specification represent on example of a technology category that enjoys this type of broad industry support.

When it comes to making sound decisions on IT security solutions, organizations have two basic choices: proprietary technologies or standards-based solutions. To ensure the selection an organization makes today can survive the new threats and challenges of tomorrow, care must be given to select those that will stand the test of time and provide the most value for the money.