In a business climate that is increasingly intolerant of any new “spend,” it can be difficult to convince the CFO to fund an IT initiative – even one that has clear short- and long-term value to the company.

While security budgets have fared relatively well in these difficult times, it would be a gross miscalculation to assume that even these critical investments don’t need rock solid justifications.

If you try to secure funding by taking the classic “security equals insurance against bad things that might happen” approach, it is very difficult to justify new programs. As a result, many companies continue to live with unnecessary risk and expense.

But there is hope – an automated access assurance program can help you effectively and efficiently manage user access and compliance across hundreds, even thousands, of applications while lowering costs; improving security, user productivity and business agility; and achieving a state of continuous compliance.

Despite the obvious need for this type of solution in every enterprise, customers often need support in the justification process.

To this end, Courion has developed a unique process in which we help IT and security staff develop access assurance programs to ensure that the right people have the right access to the right resources and are doing the right things and that security and compliance work is done both effectively and efficiently. An incremental approach is taken that defines and deploys strategic solutions in tactical steps – each one fitting neatly into the customer’s existing expense, capital and cash budgets. This is what we mean by “self-funding” identity management or access assurance. These programs speak directly to the issues the CFO cares about – managing risk, achieving ROI and operational efficiencies, and realizing other core benefits that will be gained both immediately and over the long term.

The four steps we take customers through for planning and justifying an access assurance framework include:

1. Education: Identify the key business problems you need to solve. Which benefits of an automated access management strategy are most critical to your particular organization and can they make an immediate impact on efficiency? Effective controls? Efficient security operations? Enabling business operations? And what tools are required? This is not necessarily exclusive to access management tools, and can include technologies such as DLP and SIEM.

2. Discovery: Identify the business and technical context where labor is being expended and where automation will yield significant returns. For example, are you divesting or growing your staff? Are you retiring infrastructure?

3. Planning: Outline the following:

a. Financial Policies and Constraints: What does it mean when the CFO says “no new projects”? Does he mean no improvements, or no incremental expense or cash funding is available? What are the policies for capitalization? When do you need to attain efficiencies to offset expense without impacting different types of budget cycles?

b. Requirements: What specific control issues need to be addressed?

c. Risk-based gap analysis: What is your risk and compliance posture today? Contrast this with where you would be if you could automate controls.

d. Value-based prioritization: Prioritize the process based on a phased approach that balances controls achieved against costs avoided.

4. Self-funding: Through this planning process, our customers are able to create access assurance programs that address immediate risk and audit requirements and achieve the fastest “route to nirvana.” It is an iterative planning and deployment process that takes specific consideration of all budgets and how different stages of the program impact them.

Courion customer case studies highlighted at our annual user conference, CONVERGE 09, as well as Burton Group’s Catalyst Conference 2009, demonstrate that this approach is

You do not have flash or javascript support.

Average (0 votes)

Reply