Security Investments Can Be Profitable
I was searching for more information on IT Governance, Risk and Compliance (GRC). I found that those enterprises that have mature GRC policies and operations are financially more successful than those enterprises that do not have mature policies and operations. I came to this conclusion when I located the IT Policy Compliance Group at www.itpolicycompliance.com.
Many IT organizations see security investments as insurance, no financial return just preventing problems and financial loss. As regulations increase, IT is affected by about 99+% of the regulations, regulations that require new knowledge and investments. In my previous blogs, “VoIP, E-Discovery” and “Law and Planning for VoIP E-Discovery”, I learned that all forms of electronically stored information (ESI) are part of the e-discovery process, which can include VoIP calls, conferences and call center recordings. So collecting storing and protecting the ESI becomes another responsibility of IT.
The IT Policy Compliance website describes themselves as “dedicated to promoting the development of research and information that will help IT security professionals meet the policy and regulatory compliance goals of their organizations. Specifically, this site focuses on assisting organizations to improve compliance results by providing reports based on primary research as well as other related information and resources.”
The web site has a guidance icon http://www.itpolicycompliance.com/guidance/enterprise_special_interests/ with about 2 dozen documents that cover leadership to best practices to what works and organization.
The site also has a link to a report, “2008 Annual Report: IT Governance, Risk and Compliance – Improving Business Results and Mitigating Financial Risk” available at: http://www.itpolicycompliance.com/research_reports/it_governance/read.asp?ID=12
GRC is about the balance of investment and risks. The chart below covers the business factors relating to the enterprise’s success and risk and the enterprise’s maturity in security investments and operations. The impact of the reinvestments on the enterprises business success is presented.
The 2008 Annual Report analyzes and digests research performed with more than 2,600 organizations worldwide. The report, partially summarized in the chart, demonstrates the IT GRC maturity of enterprises and how this maturity level relates to the business outcomes.
Reprinted from the “2008 Annual Report: IT Governance, Risk and Compliance
– Improving Business Results and Mitigating Financial Risk”.
Level 1 is the least mature while level 5 is the most mature in security investment and operations. The results are compared to level 3, the average customer satisfaction is +8.7% for level 5 and -8.7% for level 1. Revenue is +8.5% and profits +6.9% compare to the average, level 3. What I also found interesting were the “Financial risk from disrupted business operations” was 0.2% of revenue for level 5 compared to level 1 at 10% of revenue. The “Financial risk from customer data loss theft” for level 5 was 0.4% of revenue compared to level 1 of 9.6% of revenue.
So as you plan to migrate to VoIP/IP Telephony and eventually Unified Communications, consider your security investments. Look for security and compliance features in you vendor’s products. Explore security devices that are not part of the VoIP/IPT product lines that will improve security. Do not under-invest in security.
My conclusion is that investing in security and operating properly will, in the long run, more than pay for itself. It will also retain the enterprises’ reputation as one that is good to do business with in the future. If I know of an enterprise that has had significant security problems, I will be hesitant to do business with them. I may not want to buy stock in them either.
A leader in live technical training since 1978
For many years New Instruction, LLC had been known as an innovative provider of training, consulting and software development services, and clients have often asked us to share our software quality methodologies with them. Those requests led to the development of our longest running workshop, "Testing and Quality Assurance Techniques", now in it's 11th edition.