How to Stretch Your Security Dollar

Unexpected ways to get additional ROI from security, business continuity, disaster recovery and compliance investments

Like the airbags in your car, a substantial amount of IT time and resources go into preventative and protective tasks. Things like security, compliance, business continuity and disaster recovery (BC/DR) that, while imperative, aren't necessarily producing any direct ROI, productivity, or other benefits during "uneventful" operations.

To be fair, the gear is bound to be earning its keep given the perpetual torrent of virus and spam-laden email, and DDoS attacks, not to mention failing compliance audits can mean big fines. Even so, it's arguably more of a "preventing losses, minimizing expenses" kind of ROI.

And all these preventative and protective measures add to IT budgets, which are already tight.

Photo by Rob Lee

"These expenses can run between five and ten percent of an annual IT budget -- not chump change. That covers ongoing expenses, not including initial purchase of hardware, software, or generators for DR sites," notes Beth Cohen, a Hot Technology Thought Leader (that's a real title) at TAC Advisory, whose career includes having been CIO and CTO at various startups, and before that, Director of Engineering IT at BBN.

Your disaster recovery hardware and software costs can be "anywhere from twice the costs of your production environment down to a much smaller amount, depending on the size of the production environment and on your recovery point and time objectives for the DR environment. If you are looking for full business continuity, it will be expensive," Cohen points out.

Find Other Uses

Do you ever wonder whether you could be getting some ROI on these investments when they're not being invoked for their primary purpose? Recoup some of the costs, helping these facilities pay for themselves, perhaps by saving money, improving productivity, even generating revenue?

The answer, according to a mix of consultants, users and vendors polled is, in general, yes ... sometimes enough to recoup the costs of the tool involved.

"You may buy for one reason, and can get double or triple the value from 'side effects,'" observes Jim Cuff, VP of strategy, Iron Mountain Digital. "For example, if you get an email management solution in order to provide continuity, it may also reduce the size of your Exchange storage platforms."

Here's what some IT managers, consultants, and vendors said:

On Business Continuity Gear, Data

Having systems and datasets sit around unused isn't going to prolong their useful lifetime; you might as well put them to work, like putting stored food or a full-size spare tire into the rotation, as it were.

"We see customers wanting to be able to leverage that second copy for test and development, to repurpose that data for reporting, for data mining, for BI, et cetera," says Rick Walsworth, Director of Product Marketing, EMC Cross Platform Replication, EMC Corp.

"We have customers using their Disaster Recovery sites for active workloads, e.g. batch jobs, non-production applications, even splitting production applications," notes Jon Bock, Senior Product Marketing Manager, VMware, Inc.

Not surprisingly, virtualization is a big enabler in alternate-purposing these systems. "The biggest we've seen is in Disaster Recovery," says Lew Smith, Product Manager, Virtualization Solutions for Interphase Systems. "Using virtualization, organizations can complete additional work in their DR site such as pre-production activities including software development, proof-of-concept prototyping, testing, and QA."

Since you must keep your DR site current in terms of patching, using these machines instead of additional non-production machines also helps avoid the operating expenses of keeping these additional systems patched and updated, Smith notes.

"Take the next step and use those resources as long as you're paying for them," urges Greg Schulz, founder and senior analyst of the StorageIO Group. "Use them for part of your active environment, like load balancing, test and develop and QA, and backup, not something you have just in case."

Use Security Tools to Save Bandwidth, Improve Productivity

Security appliances don't just provide security; many of the tasks they're doing anyway, or can be doing, also offer non-security benefits that reduce network and IT costs. For example, performance and bandwidth management, and enforcing acceptable use policies like blocking access to specific websites and applications, or restricting user access to lunchtimes and after-hours.

"Our UTM suite includes the ability to develop an AUP and control the sites that employees are allowed to go to," notes John Gordineer, Director, Product Management for Network Security, SonicWALL, Inc. "And we can set up schedule-based rules, and also have password access for different types of sites. So our Internet content filtering is a productivity tool."

Anecdotally, reports Andrew Rubin, CEO, Cymtec Systems, some solutions traditionally bought for security or other company-specific reasons are being leveraged in other ways. "There's a lot of cross-over now among compliance, enforcement and performance," says Rubin. "For example, we used to talk about 'what a user can/can't do, access,' and that was almost entirely a policy or compliance discussion. Now, it's also a conversation relating to bandwidth consumption and infrastructure, the economic impact. And tools they may have bought for other reasons now also become useful for day-to-day enforcement."

Turning up Unnecessary Redundancy, Inefficiencies

The process of planning business continuity and resiliency can lead to immediate, ongoing savings, according to John Pironti, Chief Information Risk Strategist, Archer Technologies.

"When creating and adding new business processes, people often do not realize that these resources already exist," says Pironti."Key tasks in planning a business continuity and resiliency strategy are asset identification and business process mapping. Companies will often uncover a lot of redundancy and inefficiency, including duplicate elements in your data or infrastructure. Once collapsed, you can significantly reduce the ongoing costs and complexity of business processes and activities, as well as ensure accuracy of data stores and structures. Performing asset identification and business processing mapping reduces the cost to provide resilience."

Databases are often the biggest culprit, according to Pironti. "You find that many are not accurate, or synchronized, with what is supposed to be the same data."

How much unneeded redundancy (some redundancy may be legitimate rather than unintended) might this kind of inspection turn up?

"Typically you can find ten to fifteen percent, but I have seen up to thirty percent unnecessary and redundant data and infrastructure uncovered in one of these exercises," says Pironti. In addition to reducing costs, Pironti also points out, "Identifying redundancies that can be eliminated helps the CIO or CTO show that they are being diligent in pursuing efficiency."

Tools purchased for compliance management can also help identify redundancies and other inefficiencies, notes Scott Wisniewski, Director at Protiviti Inc., a business consulting and internal audit firm.

"If you are automating your compliance activities, the same analytical tools, when pointed at different activities, can help streamline business processes," says Wisniewski. "For example, you can identify duplicate payments to multiple vendors, provide revenue assurance, especially in retail, and analyze your supply chain to avoid disruption. You can even make better prioritization decisions in your application portfolio management, like which projects will yield the best return on use of budget and resources."

Turning Requirements into Business

One possibility -- admittedly not for everyone -- is to take your facilities, and knowledge, and resell them, turning them into an external business offering. "Solving a problem for your own company may help you spawn new business products and services," says Tom Sweeney, CCP Operations Director, Managed Services Group, Logicalis Inc.

"We found that in developing our own BC/DR service to meet our own audit and compliance requirements, it's become a service we sell -- designing BC/DR plans, offering BC/DR as a managed service, and selling hardware," says Sweeney. "We're SAS70-certified, will be HIPPA-certified and are looking at becoming PCI-certified. Our customers have the same requirements. Over the past three years, as we start meeting new Federal requirements for disaster recovery, we're seeing more and more opportunities for us to market that service to the industry. We've identified key third party companies whose services we're now marketing to our customers.

Ask and You May Receive

While these additional benefits may be there, obvious or lurking, "Make sure they're really there," cautions Iron Mountain's Jim Cuff. "Sometimes you assume you're getting additional things, but they aren't there. If you go in looking for or expecting these added benefits, make sure you confirm exactly what you're getting."

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon