While the newest release of nCircle Inc.’s Suite360 security risk and compliance platform contains some worthwhile upgrades, according to one industry observer, shrinking budgets might prevent most enterprises from taking advantage of it.
The newest version of the company’s Suite360 Intelligence Hub is built around a rule-based asset value assignment feature that uses a composite metric to rank both security and compliance issues by severity, as well as an asset’s value to the business.
Mark Wood, vice-president of product management and strategy at nCircle, said the system allows its customers to input simple security rules to calculate the value of their data.
“For example, a customer can write a rule that says, ‘if the IP address of this system is within this range, it must be in my DMZ and I’m going to add 200 points to the score,’” he said. “Or if it’s running SQL, it must be one of my database servers, so I’m going to add another 150 points to the score.”
As you discover assets, you build up a fairly complex system of rules, Wood said, which will be different for each customer based on the context of their business. Asset value is only useful if it’s applied across the organization consistently and objectively, he added.
Other new additions to the Suite360 platform include granular role-based access control that enables specific users to manage specific assets groups and reports; integration with Microsoft Active Directory; and flexible asset grouping that maps manageable asset inventory to business objectives.
James Quin, senior research analyst with Info-Tech Research Group, said that while most of these features can be found among nCircle’s competitors, coupling Suite360’s amalgamated functionality with the automated asset value assignment feature might give the platform a leg up on other tools currently available.
“Particularly from a security perspective, one of the things that organizations need to be concerned about in an economic downturn is spending appropriate money to protect their assets,” he said. “If my assets are worth $100, there’s no point in spending a $1,000 to protect them.”
Unfortunately, when talking with Info-Tech clients, Quin has found that most companies have a straight-out freeze on capital expenditure, no matter what type of benefits the product might offer.
“If a company out there still does have some flexibility in how they’re going about cost savings and are willing to be open-minded in investing to save, then absolutely, this kind of solution could benefit them,” he added.
“But for many companies we’ve talked to, they’re just not going to spend a dime yet.”
From nCircle’s perspective, however, companies don’t really have much of a choice. If they aren’t spending on security and compliance solutions with its platform, they will certainly have to dedicate staff resources to it.
Wood said that nCircle’s decision to include the asset value assignment feature stems from the fact that security and compliance issues will continue to exist for most enterprises, regardless of the struggling economy.
“There are still attacks and compliance mandates out there that you have to meet,” he said. “Organizations under budget pressure are looking to do all of this with fewer people and fewer resources. There is absolutely a drive toward consolidation in the industry.”
The value calculation system will give companies better prioritization of the issues that need to be addressed so the operations team can be more efficient when handling them, Wood added.
“We’re seeing customers spend money with us because they know it’s going to help them save it,” he said.
Jeffrey Wheatman, research director for information security and privacy at Gartner Inc., agreed, saying that most companies still have some operating budgets to spend, especially when it comes to compliance.
“We still see compliance as a very big driver, because the auditors aren’t going to accept an excuse like, ‘Hey, we recognize that we have some gaps, but we don’t have any money right now,’” he said. “They won’t accept that. The work has to get done.”
But according to Quin, even as senior executives and business managers demand more action-oriented reporting when it comes to security and compliance, “they are often demanding it with a cost associated with it.”
In other words, they have to be able to do this without costing the business more money, he said.