Expertise Beyond the Numbers

Balancing IT Security with Limited Budget and Resources

As the world continues to evolve, organizations of all sizes rely more and more on the implementation of new technologies. New technology may offer many benefits such as improved efficiencies in processes or an increase in information technology (IT) security. However, not every company has the ability to add such technologies. Some companies struggle to maintain an acceptable level of IT security on a reduced budget. Even with limited funding and resources, there are ways to reduce your organizations IT security risk.

There are several reasons why investments in IT security may be limited. From a fiscal perspective, an organization may have limited available funds or an unbalanced distribution of funding. From a resource perspective, your organization may have limited full-time equivalents (FTEs), contractors, or experience to help manage IT security.

These issues may cause a strain on resources when operating an organization on the premise of doing more with less. Operating IT security with insufficient funding or resources may increase risk in IT operations by not assigning enough resources to perform IT security related tasks. Strained resources may also lead to gaps in IT security controls through the inability to enforce requirements of key processes that reduce IT security risks.

There are a few ways to help minimize and reduce IT security risks when working with limited budgets and resources including performing an Organizational-Wide IT Risk Assessment (ITRA) and adding supplemental resources.

An ITRA is used to identify, estimate, and prioritize IT related risks to operations, organizational assets, individuals, and other organizations. The purpose of an ITRA is to inform the decision makers, while providing support by identifying:

  1. Information technology general controls (ITGCs) and application controls
    1. ITGCs are the controls over the IT environment, computer operations, program development, program changes, and access to programs.
    2. Application controls are controls over that processing of the application
  2. Threats relevant to the organization
    1. Any natural, human, or environmental source that exploits the identified vulnerability
  3. Vulnerabilities internal and external to the organization
    1. Internal vulnerabilities operates inside of the business firewall(s)
    2. External vulnerabilities operates outside the business firewall(s) looking for access points into the organization’s secured area
  4. Impact to the organization
    1. If the threat were to occur what type of impact will it have on the organization
  5. Likelihood that harm will occur
    1. If the threat were to occur what is the likelihood it will cause harm to the organization

Once each of these four items are gathered and assessed against relevant controls, a maturity level is evaluated and assigned.

A successful ITRA provides a complete overview of the degree of IT related harm and the likelihood of such harm occurring to your organization. This overview will provide IT senior leadership with information needed to help prioritize these security issues. The same information presented to IT senior leadership can be presented to executive management to help determine potential courses of action in response to the identified risks.

When dealing with limited funds and resources, organizations should take a strategic approach to reduce and minimize risks. Performing an ITRA offers such a solution, by allowing organizations to identify and address critical, high-risk areas, using a methodical approach.

Another technique to help minimize risk associated with IT security, when dealing with limited resources and funding is by adding supplemental resources, better known as co-sourcing. Co-sourcing is the act of an organization outsourcing some of its internal functions. Co-sourcing allows an organization to maintain control of operations while minimizing cost when compared to hiring an FTE.

Having in-house FTEs available to meet every need presented by IT security or internal audit is inefficient and often not practical when resources and budgets are limited. This process is inefficient and not practical, because an organization may not be utilizing the skill set of the FTE constantly.

Co-sourcing IT security reviews offers the flexibility of contracting consulting firms when a specific skill set is needed to identify, review, and address specific risks. An organization can perform a temporary hire of a contractor that is considered a subject-matter-expert (SME) in the field being reviewed. This provides the organization with flexibility on bringing a contractor in to perform a specific function to reduce risks, without having to hire an FTE. Although organizational funding and resources may be limited, that does not mean you should compromise on IT security risks. Addressing potential IT security risks now, prior to it becoming an actual issue, will save the organization money in resolving the issue and any reputational damage that may arise if a threat is exploited. The two areas of focus in this blog, ITRA and co-sourcing, are just a couple of the many techniques that can be utilized to address IT security risks when funding and resources are limited.

For additional details and examples on of how your organization can reduce IT security risks on a limited budget and with limited resources, please contact our risk management team.