[Log In] []

Exploring the science and magic of Identity and Access Management
Thursday, April 25, 2024

GDPR: A Cost vs. Benefit Analysis

Author: Mark Dixon
Tuesday, April 24, 2018
8:34 pm


With the May 25th enforcement date for GDPR looming before us, it is easy to focus on the huge investment companies are making in efforts to comply.  

However, an Information Week article authored by Dimitri Sirota, CEO and Co-founder, BigID, offers a brighter picture:

The International Association of Privacy Professionals estimates that Fortune’s Global 500 companies will spend roughly $7.8 billion in order to ensure they are compliant with GDPR – no small sum. Yet, viewing GDPR through the lens of compliance cost alone doesn’t reflect the broader change afforded by the sweeping regulation. Yes, there will be substantial cost association with operationalizing specific obligations inside the organization, but the benefits can be argued to far outweigh the investment.

Sirota proposes tangible business benefits arising from work towards GDPR compliance (selected excerpts are shown):

Understanding the customer

First and foremost, compliance efforts help companies better understand their customer by better understanding their data. If customers are the lifeblood of a modern digital business, then knowing customers’ data takes on commercial “life or death” urgency.

Cyber insurance and civil action savings

Companies mandated to comply [with GDPR], and those showing proof of compliance with these stringent regulations will likely see a significant reduction in annual cyber insurance costs. …

A hard rule on public disclosure is understandably daunting, but the role GDPR will play in helping companies better understand what data they have, its risk and how to protect it, will prove greatly beneficial to avoiding a breach all together.

Minimizing response costs

Through increased data visibility required for compliance, funds spent on determining who exactly was affected by a breach will be all but eliminated.

In conclusion, Sirota takes the optimistic view:

GDPR aims to provide better consumer accountability through better data accounting. Ultimately, this helps build trust between a company and its customers. However, in a very real financial way it also has economic benefit. The investments required to comply with GDPR equip companies to better protect themselves and better extract value from its customers. GDPR at first blush looks like a cost for businesses to incur. But dig deeper and you find it opens up new protections and value.

I am a fan of looking for business benefits of security and compliance beyond reducing risk.  I think the most important benefit that Sirota proposes is understanding the customer because of better understanding of their data.  I really like how he puts it:

Data is the new oil, and knowing exactly what kind of oil, how much and where it is running through the engine not only provides a vehicle to safeguarding data, but also a way to unlock value within that data and improve performance, in a private and secure way.

Thanks for the insight, Dimitri!

Comments Off on GDPR: A Cost vs. Benefit Analysis . Permalink . Trackback URL
WordPress Tags: ,

Cyber Security as a Business Enabler

Information Security
Author: Mark Dixon
Thursday, April 19, 2018
11:28 am

Enable business

This morning, I reviewed a proposal for improving a company’s security against data breach.  The main reasons giving for the investment in security technology were:

  • Improve security posture
  • Reduce risk for internal and external data breach
  • Increase compliance reporting capability
  • Increase confidence by locking down data

These are all valid reasons for making the proposed investment, but shouldn’t there be more? Doesn’t good security support good business results in a positive way?

By happy coincidence, just before I reviewed the proposal, I read a thought-providing article, “Reframing Cybersecurity As A Business Enabler,” published by Innovation Enterprise.  The introductory paragraph states the obvious:

Innovation is vital to remaining competitive in the digital economy, yet cybersecurity risk is often viewed as an inhibitor to these efforts. With the growing number of security breaches and the magnitude of their consequences, it is easy to see why organizations are apprehensive to implement new technologies into their operations and offerings. The reality is that the threat of a potential attack is a constant.

But rather than dwelling on the problem, this article challenges traditional thinking:

Though the threat is real, instead of viewing cybersecurity in terms of risk, organizations should approach cybersecurity as a business enabler. By building cybersecurity into the foundation of their business strategy, organizations will be able to support business agility, facilitate organizational operations and develop consumer loyalty.

The article explores each of these three business value areas in more detail. I have included a brief excerpt in each area:

Security supports business agility

Instituting strong security measures enables organizations to operate without being compromised or slowed down. Companies that invest in cyber resilience will be better able to sustain operations and performance – a definite competitive advantage over those caught unprepared by an attack.

Security facilitates business productivity

One survey of C-level executives revealed that 69% of those surveyed said digitization is ‘very important’ to their company’s current growth strategy. 64% also recognized that cybersecurity is a ‘significant’ driver of the success of digital products, services, and business models. 

Security develops customer loyalty

PricewaterhouseCoopers’ 21st Global CEO Survey found that 87% of global CEOs say they are investing in cybersecurity to build trust with customers. 

I recognize the need for strengthening security defense mechanisms for the sake of risk mitigation. However, if we restrict ourselves to the traditional “security as insurance policy” mindset, we are missing the greater value of good information security in supporting positive business success. 

Comments Off on Cyber Security as a Business Enabler . Permalink . Trackback URL
WordPress Tags:

Value of #IoT in Public Sector

Internet of Things
Author: Mark Dixon
Monday, May 12, 2014
2:50 pm


The future of the Internet of Things will depend on how much real value can be realized from highly connected systems.  I enjoyed reading the Information Week article “Internet of Things: 8 Cost-Cutting Ideas for Government,” which reported on a Cisco study, “Internet of Everything: A $4.6 Trillion Public-Sector Opportunity:”

The virtual connection of data from people, processes, and things — the Internet of Things, or as Cisco calls it, the Internet of Everything (IOE) — promises a world of new economic opportunities. Now a new study has put a value on that opportunity and concludes that the public sector could see as much as $4.6 trillion in IOE-related savings and revenues worldwide over the next decade.

Eight areas with the most potential value are listed below, with potential 10-Year Value shown in parentheses:

  1. Smart Parking ($41billion)
  2. Water Management ($39 billion)
  3. Gas Monitoring ($69 billion)
  4. Chronic Disease Management ($146 billion)
  5. Road Pricing ($18 billion)
  6. Telework ($125 billion)
  7. Connected Learning ($258 billion)
  8. Connected Militarized Defense (1.5 trillion)

Those are big numbers!

The estimate is separate from $14.4 trillion in additional value Cisco predicts the private sector will derive from new efficiencies and services resulting from data linkages over the Internet.

“If you look back a decade from today at the impact of the Internet of Everything, I predict you will see it will be five to 10 times more impactful than the whole Internet has been today,” said Cisco CEO John Chambers

Whether or not Cisco is completely correct in its analysis is somewhat beside the point.  There are huge opportunities for innovation and application ahead of us.




Comments Off on Value of #IoT in Public Sector . Permalink . Trackback URL
WordPress Tags: ,

Business Value in Cloud Computing

Cloud Computing
Author: Mark Dixon
Friday, May 10, 2013
9:40 am

Cloud computing types

In a recent Forbes article entitled, “The Cloud Revolution and Creative Destruction,” Oracle’s Bob Evans put cloud computing in perspective (my emphasis added):

We’ll begin to see the real the real creative-destruction power of the cloud unleashed when we begin to define the cloud in terms of what business customers want and need, and when we stop diddling around with inside-baseball constructs that mean little or nothing to the businesspeople who are ready to spend many tens of billions of dollars on cloud solutions that focus on and deliver business value. .. 

That’s the real magic of the cloud: it lets businesses rethink where and how they deploy their precious IT dollars, and allows those businesses to focus more of their IT budgets on projects that truly matter.

Business value.  Focusing here makes cloud computing worthwhile.

Comments Off on Business Value in Cloud Computing . Permalink . Trackback URL

The Business Justification for Data Security

Information Security
Author: Mark Dixon
Wednesday, March 7, 2012
12:23 pm

Recently, Jack Crail and I gave a joint presentation at the SecurePhoenix event sponsored by (ICS)2, the folks who oversee the CISSP certification.


Our presentation was based on a whitepaper entitled “The Business Justification for Data Security,” published by Securosis, which outlined a five step process for evaluating data security investments, mapping the potential investment to business needs and building a business justification case.

More to come as I explore some of these topics …

Technorati Tags: ,

Comments Off on The Business Justification for Data Security . Permalink . Trackback URL

Business Value from Identity and Access Intelligence

Business, Identity
Author: Mark Dixon
Wednesday, April 27, 2011
4:27 pm

It was almost two months ago when I first mentioned on this blog the term coined by Gartner, “Identity and Access Intelligence.”  I have been thinking much lately about the real business value enterprises can derive from this discipline, and will attempt in this post to enumerate and comment on such benefits.

As good fortune would have it, my Oracle Colleague Nishant Kaushik shared with me a copy of a presentation deck he used recently, entitled, “Identity Intelligence to Drive Business Objectives.”

For the purpose of this discussion, we will use the term “IAM Intelligence” to refer to “Identity and Access Intelligence” or “Identity Intelligence”. Furthermore, we will regard IAM intelligence to include tools for IAM data collection, aggregation, analysis, presentation and automated action, coupled with the human processes for seeking to understand, present and act on that data – the transformation of data into actionable intelligence.

Earl Perkins of Gartner put it this way:

IAM intelligence is more than knowledge for IT users to make IT users’ lives easier. IAM intelligence can be part of the business intelligence realm if properly analyzed and presented to the right audiences.


Primary Business Benefits

The following major business benefits can accrue from IAM intelligence.  These are roughly the same as Nishant used in his presentation, in a slightly different order.

  1. Enable Visibility and Transparency.  If an enterprise is to effectively answer the compelling questions, “Who has access to what?”, “Who granted that access?” and “How were such assess rights used?”, a great degree of information visibility and transparency is needed.   The questions are simple; the process of answering them is not.  IAM intelligence seeks to answer these questions quickly and accurately, in a manner that reduces business risk and increases regulatory compliance at a resonable cost.
  2. Support Business Decisions.  Good business decisions should be based on reliable information, not on supposition.  A client recently remarked,”We need to base our decisions on facts, not just on what we think those facts are or should be.”  IAM intelligence provides the foundation for making good business decisions based on reliable information.
  3. Turn Data into Insight, and Insight into Action.  With the expansion of IAM infrastructure for administering user, role and entitlement life cycles and enforcing access policy, the amount of relevant Identity and Access data is immense.  That raw data does little good unless we can effectively organize and analyze such data so effective business decisions can be made and intelligent action can be taken as a result.  IAM intelligence enables the transformation of raw data into actionable insight.
  4. Strengthen Identity & Access Governance. The structured method for managing IAM systems, or IAM Governance, can be made more effective if accurate, reliable, timely and actionable information is available for IAM stakeholders to make good decisions.
  5. Identify, Measure and Manage Risk.  To effectively manage risk, an enterprise must accurately identify what risks exist, create policies for dealing with such risks, and implement effective controls for enforcing those policies.  Actionable information provided by IAM Intelligence can enable enterprises to correctly identify, understand and control risk.
  6. Contain Costs. Gathering and evaluating data through manual means can be very expensive, including initial data collection, manipulation, analysis and presentation.  Automated Identity Intelligence methods can minimize costs by taking labor out of the process.
  7. Build Trust. In order for any information system to become an effective foundation for business execution, business leaders must implicity trust the tools and processes that comprise the the system.  An effective IAM Intelligence system will provide that trusted foundation that a business leader can use to guide his or her business activities.


Benefits from Automation

Why can’t we just use some smart people armed with spreadsheets to accomplish the same objectives?

  1. Accuracy. Manual methods of data collection and organization inevitably introduce errors, which at best are difficult to find and correct, and at worst, alter business decisions in unfortunate ways.
  2. Timeliness.  Manual methods often take a lot of elapsed time, causing business decisions to be delayed and needed actions to be postponed.
  3. Presentation.  While much can be done with spreadsheet graphics and reports, more powerful reporting, dashboard and presentation facilities may be available with an automated system.
  4. Repeatability.  Manual methods may vary as different people become involved at different parts of the process, causing variabiltiy in results from cycle to cycle.
  5. Auditability.  Manual methods are more difficult to audit, because of the variability in the human part of the process.
  6. Cost control.  The costs of manual methods often exceed automated processes, because the labor content of the process recurrs in every cycle. Automated methods can reduce these costs


The Bottom Line?

The overall benefit we realize from IAM Intelligence is the ability to take effective business action, based on intelligent business decisions … leading to faster, stronger business success.

Comments Off on Business Value from Identity and Access Intelligence . Permalink . Trackback URL
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.