"Security has to be driven from a business perspective, i.e., security measures should match the need"
Maximizing Cost Efficiency for Information Security
The importance of information management cost has increased due to the increased utilization of electronic information, and it is becoming increasingly difficult to ignore security costs for secure information. Information security costs are difficult enough to justify when things are going well. So, we need to think about how to reduce information security costs while ensuring that we maintain sufficient controls against risk.
Before starting a journey on Information Security, it is imperative that we understand that effective Information Security has to be driven from a business perspective i.e., security measures should match the need. This implies that next to the need for information security, not only the costs of information security measures but also the added value of the implemented information security measures should be evident. The need for security must be based on the business risk which should be identified by organization through risk assessment.
Organizations control the cost for security by looking at whether all information and IT services are of equal importance to an organization or exposed to the same level of risk. There will, certainly, be cases where the cost is not appropriate but exceeds the importance of information or IT services. In such cases, organizations will be faced to accept the security risks and thereby, the costs associated with security incidents when those occur. Organizations, therefore, need to invest in understanding the tools to be used for securing information and also the best practices to be followed for implementing controls for Information Security, may it be Physical Security, Access Control, Network Usage, Application Security, Remote access or protection against malicious codes, etc. This helps organizations ensure that they look out for comprehensive tools which could cut across threats and hence help them in not only cutting down on expenses but also having a seamless product.
Another very important cost is the manpower cost. Again, though this can’t be done away with, but can be controlled. To control this cost, organizations need to have a clearly defined structure on all those who would be part of Security Group within an organization. Formation of a group with adequate members at time can be a tricky affair, since a smaller group may not be able to adequately manage and control all security aspects and a larger group may be redundant. For this, it is generally recommended that resources that can cut across different functions and represent business needs should be made part of this group.