October 28 2016

The single most important step to lower your 2017 Network Security Budget 08:30 am

Saving thousands – even tens of thousands on your Information Technology (or IT security) budget in 2017 is possible.  The suggestions below show that outstanding information security results are possible independent of large security budgets or specialized security consultants.   Our customers representing hundreds of PC’s users have consistently and methodically lowered their security incident count and the severity of security breaches over the last 24 months.  Recently we celebrated the last 6 months with having only 1 client with only 1 virus on only 1 computer.  (This was back in May and we hope that client never does this again, as it will mess up everyone’s stat’s!) This update will show how a manager or executive can hold a technical team accountable for great results and control a security budget.  It will also identify how a technical team can institute specific security actions that together dramatically lower the risk profile.

Before outlining the steps and methodology of how this works let us offer proof that outstanding results are possible.  Our validation comes from a comparison of PCIT’s clients to a survey of 540 Canadian and worldwide organizations by the Osterman Group.  In this survey 72% of the Canadian organizations experienced a security attack within 12 months while 60% of PCIT’s clients experienced the same.  However, what happened after the incident was even more striking.  The survey reports 63% of those attacked experienced severe downtime of over 9 hours.  None of PCIT’s clients experienced severe downtime.  Most telling is that the survey respondents appear to have a significantly higher budget on digital security and even dedicated security resources.

The most effective method to lower security results is surprisingly low cost.  This #1 tool is not a special antivirus software, next generation firewall, two-factor authentication, biometrics, independent network penetration testing, or other esoteric approach.  PCIT sees the most effectiveness in network security simply by measuring incident rates of a single network and then comparing those results to a peer group.  As PCIT delivers IT services for many clients across the Peace River region this has become an easy process.  First, every virus, data breach or malware incident is recorded.  Next we track how many of these occur each month for each client.  Last we compare that clients’ results with our entire client base.  A sample table is below.

Operational Results Summary

The table below is an excerpt of key service delivery area metrics that PCIT tracks on a regular basis. security-incidences-table

This methodology is so powerful because it provides owners or executives responsible for IT security actionable data that they can relate to.  If they have more malware than their peers it becomes clearer to a non-technical person that a change needs to be made.  If the IT resource can then pinpoint where the differences are between them and their peers approving a specific action to get better results becomes a lot more justifiable.

The dynamics of this approach are hard to communicate in a short paragraph.  What we have seen is that while the severity and sophistication of reported security incidences in the news has increased over the last 24 months our clients have methodically lowered their risk profile.  Many have experienced this without increasing IT security spending even $1.  What comparing results to peers and bringing open accountability has done is create a culture across many organizations and industries of security awareness and accountability.  It is this culture and user action that has been the biggest ‘second order’ effect of sharing security results in this manner.

Over the last 24 months we have helped various organizations eliminate or greatly reduce the effect of malware, viruses, and data breaches in their environment.  Our clients have seen these results with relatively modest network security budgets.  We conclude great, even outstanding, network security is possible independent of large capital spending or dedicated IT security specialists.

We would be pleased to release at no charge or obligation our best practices related to network security for any interested party.