Tuesday, February 02, 2010

Justifying a Security Audit

How do you justify hiring an outside, independent security auditor to perform an assessment of your organization's technology systems? It is an easy decision if you've been hacked and you want the peace of mind knowing that your systems are now secure. It is also an easy decision if you are in a compliance related industry that mandates annual security audits. What do you do if you don't fall into one of these categories? How do you justify bringing in an outside auditor?

In many instances, security audits provide both tangible and intangible benefits. For example, an outside security audit of your systems demonstrates to prospects your commitment to protecting their data. By being proactive, you gain a competitive edge which helps you close more deals. If, in talking with your prospects, you find you can close 5% more deals, you can quantify the benefit of the security audit as it relates to your sales and marketing activities.

Security audits can also help protect your intellectual property (IP). For example, if you have a staff of programmers and estimate the value of your custom code at millions of dollars, you'll want to ensure that the proper controls are in place and working with sufficient effectiveness to protect your IP assets. A loss of your IP could result in significant damage to your company, resulting is a drop in revenues of 25% or greater.

Many organizations are only worried about hackers and external threats. However, studies have shown that your employees are your greatest risk since they already have access to your systems. By reducing your internal security risks, you lower your costs and increase employee efficiency. Management also has the peace of mind knowing that your information is secure from both internal and external threats.

Security audits provide a bottom line return on the investment by increasing your revenues, protecting your intellectual property, reducing your risks, and enhancing your image and reputation.