An article by Marcia Savage published in Information Security today caught my eye: “PCI Costs Slow Compliance Projects in Down Economy.” The article describes how in an economic downtown, financial services companies will look for ways to spend less (yes, less) on PCI compliance. Quoting commentary from Larry Ponemon (whose Ponemon Institute just released a study on the cost of data breaches), the article points out that many firms are cutting their security budgets drastically and favoring revenue-generating initiatives instead.
There’s a consistent theme here – very much in line with the results we saw from our SailPoint Market Pulse Survey, published in December. Security and compliance teams are caught in a vicious squeeze between the need to protect the enterprise and cut budgets. One of the top risks cited by our respondents was the nearly impossible task of maintaining or strengthening security and compliance with shrinking budgets (the old, familiar “do more with less”).
As frustrating as this sounds, I think there is a pragmatic course that many companies can take – particularly in areas where they are still using homegrown, manual, or paper-based processes to meet compliance requirements. In working with customers over the last two years, I’ve seen ample evidence that replacing first generation compliance “processes” with automated software really does allow organizations to “do more with less.” With automation, it’s possible to both strengthen controls (make the auditors happy) and improve efficiencies (save money). The cost savings can be significant – reduced time spent by IT on data gathering, reduced time spent by business and audit staff on review and oversight, elimination of the need to maintain customized internal software, reduced time required to remediate problems.
What do you think? Identity Governance: tastes great – and less filling! (Wait, that’s been done…)