Comment: How to cut costs and still remain secure

How do you maintain security when your budget gets cut?
How do you maintain security when your budget gets cut?

So you’ve just heard your budgets have been cut once again. This time it’s across all IT, and security has got to be slashed too. As a CISO or IT manager responsible for a mobile workforce using an assortment of portable devices and removable media, you suddenly feel like there’s a time bomb waiting to go off.

How have we got to where we are?

Whilst reduced spending may be good for the company’s balance sheet, often data security is the trade off. Let’s look at the evidence:

  1. Companies now have tighter budgets and are working with far less staff.
  2. The mantra now is: more hours, less pay.
  3. Mobile and remote working has gained in popularity.
  4. Companies are faced with the unenviable dilemma: to get the job done they must embrace this mobile practice, yet this practice poses serious threats to data security that are costly to address.

So ultimately the question becomes one of whether the gains are worth the risk with smaller budgets?

Only you can answer this question for your organisation, but there are few who really feel they have a choice. In fact, a survey conducted by Credant this past summer confirmed that mobile working is very much a reality, and few organisations are prepared:

The “mobile habits, leisure and security” survey revealed that more people than ever before plan to holiday with a laptop in 2010, with 64%, an increase from 33% two years ago, confirmed that they will take their laptop with them for work, however a staggering 66% revealed that their device will be unencrypted and 51% of these won’t even be using a password

It’s a nightmare scenario for those responsible for security with employees now accessing their emails and network even when they are away, but often oblivious to the security implications of connecting using insecure devices and networks. The well documented implications of failing to comply with data privacy regulations, such as Sarbanes Oxley or the Data Protection Act, are just the tip of the financial iceberg. Lost revenue from reduced customer confidence when data goes missing and hits the public eye can be catastrophic, and the price of rebuilding a damaged brand can be insurmountable. I would argue that the right solution is priceless – that said, it isn’t free.

Where do we go from here?

The best way to secure data is to keep it locked away on the corporate network and never allow anyone access to it. Now, if your organisation can operate like that, then fair play to you. Back in the real world it’s just not a viable option.

The reality is that there will be a magnitude of people within your company that need access to sensitive data in their day-to-day activities. As we’ve established, they won’t always be within the safe confines of the building, so it is a given that your data has been, and will continue to be, transported beyond the walls you’ve built to protect it – whether made of brick or fire.

The stance you need to take is mitigating the risk this presents whilst enabling business to continue unhindered.

Today, there are many encryption products available offering the promise of data protection and compliance. However, the reality is that attempting to deploy a single ‘point’ solution to meet all one’s needs can pose more problems than it solves. While some encryption products address the issue of protecting data on particular devices or for specific users, it fails to incorporate the full security landscape of your enterprise.

The truth is, in your heterogeneous environment, plugging one gap just leaves all the others wide open. To be truly secure one would then need to look at each and every way data is stored and transported, and then employ a solution for each.

It’s immediately clear that the expense of this approach is potentially massive – not only in purchasing, deploying and trying to manage all these disparate systems – but the margin for error is also huge. This can often result in an ineffective solution due to poor manageability and a lack of interoperability with existing IT tools and processes, thus rendering the investment redundant.

I would also argue that to prove compliance without the benefit of a single, integrated management and reporting framework is extremely difficult, if not impossible. Moreover, you could never be certain a breach wouldn’t occur anyway.

You need to be canny if you’re to negotiate your way through the security minefield on a budget. But you needn’t do so alone. Here are five basic requirements that will help you select the right solution to keep your data from harm:

  1. A security solution for a mobile workforce should be centrally managed and policy based for maximum control, ensuring encryption can be addressed on all devices and for all users, so that the data your staff carries is protected
  2. A solution should be adaptable to encompass every device currently utilised by your organisation (e.g., desktops, laptops, handheld devices and removable media, but also the unknown devices of tomorrow)
  3. A solution should provide flexibility in the way the data is encrypted (e.g., hardware-based full disk encryption or software based-full disk encryption)
  4. A solution should be as transparent as possible to the end user so they’re not able to disable or bypass the protection
  5. A solution should provide seamless protection without slowing the device or hindering the user

It is unrealistic to simply stop spending money on security and expect to remain secure. However, by thinking outside the box and purchasing a solution that does the same, you can keep the financial director happy and your data secure.

Bob Heard is the CEO and co-founder of Credant Technologies. Heard has more than 30 years of experience in business and technology management, starting his career at IBM and holding subsequent leadership roles in two start-ups, Sterling Commerce and Entrust. He has received numerous awards and recognition for his entrepreneurship, including the 2005 Ernst & Young Entrepreneur of the Year, 2006 Tech Titan nominee and the 2008 TiE Renegade Entrepreneur. Heard is a graduate of Texas Tech University, where he earned a bachelor’s degree in business administration.

What’s hot on Infosecurity Magazine?