Posts Tagged ‘Business Security’

Absolute Software announced today that its Computrace product will be built into the hardware level of select Lenovo ThinkPad T400 notebooks, the first notebooks to ship with support for Intel’s Anti-Theft PC Protection and Computrace built right in. The new products will be available starting in December.

Select Lenovo ThinkPad T400 notebook computers will ship with the Absolute Computrace and Intel Anti-Theft PC Protection “ready”, needing only to be activated by companies’ IT departments. The Anti-Theft PC Protection extends the capabilities of Computrace. For example, if a computer does not “check in” with the Absolute Monitoring Center within a specified time period, the notebook can automatically lock down. That would make it unusable, unless unlocked by an authorized user. Additionally, if a notebook is lost or stolen, data can be deleted remotely and the lock down can happen automatically when the computer “checks in”.

“Absolute is excited to work with industry leaders to further drive anti-theft technologies into the marketplace – ensuring that joint Absolute, Intel and Lenovo customers have a secure computing experience,” – John Livingston, CEO of Absolute Software.

Computrace was previously made available in Lenovo ThinkPad T43 notebooks at the BIOS level, so that the security services could not be removed by simply reformatting or replacing the hard drive.

Continue reading the press release here.

Bruce Schneier has written a great article on the use of ROI (return on investment) in business security decision making. Following this, businesses would only invest in security solutions that had a positive ROI – that the ratio of money gained (realized or unrealized) be higher than the cost invested. When comparing options, a company would choose that which had the greatest return for the stockholders.

So the question remains – do ROI models accurately determine if a security investment is “worth it”? Bruce Schneier notes:

“‘ROI’ as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It’s an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn’t make sense in this context.”

A data breach would have associated costs, so preventing one would have cost savings. This does impact the bottom line, although it’s an intangible figure.  As Schneier notes, though many security vendors provide an ROI model to meet the business demand for this measurement, the numbers cannot reflect accurate figures applied to your business.

So, how do you measure security investment?

• Don’t spend more on a security problem than it’s worth
• Don’t ignore security problems that cost money if cheaper mitigation alternatives are available

One option is to use annualized loss expectancy (ALE), a model that calculates the cost of a security incident (tangible & intangible) multiplied by the chance of that incident happening in a given year. This model will tell you what to spend to mitigate the risk. However, the model relies on good data, and it’s difficult to apply that to all areas of IT security. When it comes to cybersecurity, not enough data about crime or effectiveness of countermeasures exists to create an accurate model. The model also cannot anticipate large / expensive security issues.

So, the end result of all this is to trust your own analysis based on your own numbers and to use results as a general guideline only. Use your numbers along with sound risk management and compliance strategy when deciding on what security solutions you buy.

Image: Stockxpert.com

The IT Policy Compliance Group (IT PCG) has published its annual report on IT Governance, Risk and Compliance. The 2008 Report, which can only be downloaded by members, looks at research conducted with more than 2600 organizations.

According to the published brief, security and compliance spending can lead to higher profits, lower expenses and improved customer satisfaction. Although many companies dread spending on compliance and security, even with the risks associated with cost-cutting methodologies, the report indicates that companies that move up the IT governance, risk and compliance (IT GRC) maturity scale are seeing a high return on their efforts.

IT GRC encompasses practices to deliver greater business value from IT strategy, investment and alignment, as well as mitigating risk and conforming to compliance mandates. What the data shows us is that IT GRC mature companies enjoy higher revenues & profits while spending less on regulatory compliance. These best practices also lead to a reduced risk if a data loss were to occur – from .4% of revenue in mature organizations vs 9.6% for less mature companies.

Those companies considered most mature were not necessarily large business, but businesses that have effectively adapted security process frameworks to their businesses. Less-mature companies tend to over-focus on operational process frameworks.

You can continue reading about this report from Network world, where there’s a great overview.