Security Investments Can Be ProfitableSecurity Investments Can Be Profitable

I was searching for more information on IT Governance, Risk and Compliance (GRC). This was stimulated by my inquiries about e-discovery and some work I am doing for an RFP.

I was searching for more information on IT Governance, Risk and Compliance (GRC). This was stimulated by my inquiries about e-discovery and some work I am doing for an RFP.I found that those enterprises that have mature GRC policies and operations are financially more successful than those enterprises that do not have mature policies and operations. I came to this conclusion when I located the IT Policy Compliance Group at www.itpolicycompliance.com.

Many IT organizations see security investments as insurance--no financial return, just preventing problems and financial loss. As regulations increase, IT is affected by about 99+% of the regulations--regulations that require new knowledge and investments.

In my previous blogs, VoIP, E-Discovery and Law and Planning for VoIP E-Discovery, I learned that all forms of electronically stored information (ESI) are part of the e-discovery process, which can include VoIP calls, conferences and call center recordings. So collecting, storing and protecting the ESI becomes another responsibility of IT.

The IT Policy Compliance website describes themselves as "dedicated to promoting the development of research and information that will help IT security professionals meet the policy and regulatory compliance goals of their organizations. Specifically, this site focuses on assisting organizations to improve compliance results by providing reports based on primary research as well as other related information and resources."

The web site has a guidance icon with about 2 dozen documents that cover subjects from leadership to best practices to what works to organization.

The site also has a link to a report, "2008 Annual Report: IT Governance, Risk and Compliance--Improving Business Results and Mitigating Financial Risk".

GRC is about the balance of investment and risks. The chart below covers the business factors relating to the enterprise's success and risk and the enterprise's maturity in security investments and operations. The impact of the reinvestments on the enterprise's business success is presented.

The 2008 Annual Report analyzes and digests research performed with more than 2,600 organizations worldwide. The report, partially summarized in the chart, demonstrates the IT GRC maturity of enterprises and how this maturity level relates to the business outcomes.

Reprinted from the "2008 Annual Report: IT Governance, Risk and Compliance - Improving Business Results and Mitigating Financial Risk"

Level 1 is the least mature while level 5 is the most mature in security investment and operations. The results are compared to level 3, the average. Customer satisfaction is +8.7% for level 5 and -8.7% for level 1. Revenue is + or - 8.5% and profits + or - 6.9% compared to the average, level 3. What I also found interesting was that the "Financial risk from disrupted business operations" was 0.2% of revenue for level 5 compared to level 1 at 10% of revenue. The "Financial risk from customer data loss theft" for level 5 was 0.4% of revenue compared to level 1 of 9.6% of revenue.

So as you plan to migrate to VoIP/IP Telephony and eventually Unified Communications, consider your security investments. Look for security and compliance features in your vendor's products. Explore security devices that are not part of the VoIP/IPT product lines that will improve security. Do not under-invest in security.

My conclusion is that investing in security and operating properly will, in the long run, more than pay for itself. It will also retain the enterprise's reputation as one that is good to do business with in the future. If know of an enterprise that has had significant security problems, I will be hesitant do business with them. I may not want to buy stock in them either.