IT cost cutting in a recession - are you now at greater risk?

By James Demitriou, special to LTW

Editor’s note: This is the seventh "Executive Insight” column, a weekly feature for Local Tech Wire as part of its partnership with the Triangle Technology Executives Council and MMI Public Relations. Demitriou is currently director of IT for PRA International

RESEARCH TRIANGLE PARK, N.C. - News flash – we are in a recession. Companies have instituted cost cutting across all organizational levels. Survival in these challenging times is of profound concern for many organizations, so any investment in IT comes with the greatest of scrutiny.

Yet, the old adage "pay me a little now, or a lot later” may be more appropriate during times of economic turmoil than at times of stability.

Stressed companies can ill afford IT disruption – competition is high, and incidents considered minor a year ago could put a company out of business today. Still, we continue to see IT cost cutting despite plenty of evidence showing IT security breaches, electronic identity theft, data privacy violations of electronic personal health records, denial of service and other IT-related incidents increase during times of economic downturn.

Broadly speaking, IT exploits occurring now were likely there prior to the recession, but the economic climate has increased the potential of these exposures to materialize. Insider threats are greater as people become more desperate, fewer employees are available to handle unplanned outages/incidents, improvement projects have been delayed or shelved, and companies are sticking with "the status quo.”

Do not fall into that trap – past performance is not an accurate predictor of the future. Even if your company does not change, IT threats and vulnerabilities will.

It is possible to manage IT risks to an acceptable level in a cost-conscious manner. The biggest challenge is enlightening those who have the most to lose to the IT risks that affect them. With cost pressures and stigma associated with IT organizations, how do you "sell” to decision-makers the need to be responsible with your IT?

Here are some high-level considerations to start with:

• What you do not know can hurt you. Develop a risk profile for your organization. It is important to know where IT plays a critical role in the strategic and operational aspects of your organization. Do not be afraid to engage experts to lead such an exercise. You can save time, money and possibly your company.

• Never forget the business. Always communicate risks and mitigation strategies in terms of business impact. Map all your risks on a chart of likelihood versus impact, so you can see the relative risk to your business. IT and the business should work this chart collectively to establish a shared understanding.

• You cannot do all of it at once. Make a roadmap. IT and the business should jointly plan and prioritize how and when IT gaps in your risk profile are addressed.

• Do not reinvent the wheel. There are competent IT best practices and guidelines available – Control Objectives for Information and related Technology (COBIT), the IT Information Library (ITIL), and ISO 27002 (Code of Practice for Information Security Management) are great places to start.

• Others may do it better than you, and at less cost. Not every company can afford to develop a mature IT competency with physical infrastructure and staff that meets best practices. Outsourcing can reduce your risk and costs, and provide best-of-class service in a multiple-tenancy model. Hosted, software-as-a-service and "cloud computing” offerings are maturing at a high rate and being increasingly utilized by the Fortune 500. Check them out.

• Good fences make for good neighbors. Partnering with third parties can reduce costs, and improve both your operational efficiency and risk profile. Due diligence, agreement on solid bi-directional service level agreements in your contracts and ongoing management are critical success factors. Have an exit strategy if things do not go as planned.

• Move from reactive to proactive. Experience comes from making mistakes, but you do not need to make them all yourself in order to become educated. Benchmark your industry, network with others, and learn from their successes and failures.

The above is intended to be general guidance. Each company is different, and your situation could depend on several factors – including how complex your business is and how intrinsic IT is to your operations. Building an effective framework to manage risk will serve you now, as well as in the future.

About the author: James Demitriou is an IT Executive with more than 20 years experience, having served as CIO for Questra Corporation, CTO for Intellicisions Data Inc, and director of global IT risk management for Glaxosmithkline. Mr. Demitriou is currently director of IT for PRA International and contributes as a speaker, panel expert, and volunteer with the North Carolina chapter of the Triangle Technology Executives Council.

Get the latest news alerts: Follow LTW at Twitter.