Imagine you’ve just moved into a new house. You walk the perimeter while examining the foundation and checking the structure. You notice there’s a side door on the garage that doesn’t bring any value to the house — it doesn’t give you easy access to a stunning patio or provide a quick path to a backyard shed. It’s just an unnecessary entrance.
So how are you going to secure it?
Your network has its own superfluous doors in the form of valueless IT: assets you no longer use or that cost more to maintain than they’re worth. Each of these doors simply increases your organization’s attack surface.
The greatest risk is the unknown risk. The right application management strategy, however, brings your assets into focus so you understand not only where you’re vulnerable but also how to fix weaknesses.
And with clearer visibility into your IT landscape, your approach to reducing risk will evolve from a tactical obligation to a strategic business driver.
A common pain point in security is the challenge of maintaining a secure posture with limited resources while attempting to support and enable current business demands. With so many assets to monitor and support, there isn’t much time left for innovation. As a result, security was until recently seen as a growth inhibitor — something that was necessary to protect the company without moving it forward.
However, recent high-profile data breaches have highlighted how important security is as a key component of growth. If you can’t protect your customers’ data, you risk losing them and their business. Even if you keep them, the business interruption will be expensive and may require extensive damage control.
The time is right for security experts to demonstrate why it’s important to invest in security, how it affects infrastructure, and why they need to be part of budget and planning conversations.
To effectively participate in those conversations, however, you need a toolset that helps you clearly explain the security landscape as well as current and future security plans.
Buy-Hold-Sell is a methodology that classifies assets using investment portfolio language that leaders across all lines of business will understand. Buy refers to valuable IT assets that advance business and merit additional investment; Hold means the asset is necessary but neutral; and Sell applies to assets that lack value, cost a lot to maintain and increase the business’ vulnerability to attack.
Think of it as a Rosetta stone for your application portfolio: Buy-Hold-Sell enables each business unit, including security, finance, and business operations, to look at a single source of truth while speaking the same language. It’s a data-driven approach that brings the view of your IT investment from muddled grey to clear black and white.
Honest, value-driven visibility helps staunch asset creep — the steady, incremental buildup of assets that over time lose their value. Companies acquire new assets annually, but it’s common for those assets to become obsolete just 12 months later. The busy organization adds more apps on top of those without stopping to reevaluate which apps drive business, which keep the lights on, and which merely increase network vulnerability.
Before the Buy-Hold-Sell methodology, it was nearly impossible to determine the value of the new apps vs. what they replaced, how they mapped across multiple business units and what vulnerability old, irrelevant apps wrought. A sprawling IT landscape not only contains many potential attack openings, it also takes a lot of time, money, and effort to maintain, pulling resources from more valuable, strategic activities.
Buy-Hold-Sell identifies valueless applications and infrastructure, allowing you to decide whether you want to accept the risk or make a change. By removing the Sells, organizations simplify their IT landscape and therefore reduce their potential attack surface. The methodology also helps you understand the options for fixing the landscape, as well as how the costs associated with maintaining or eliminating the assets will ripple across the budget throughout the company.
The methodology enables you to make an educated decision about your IT efficiency. It takes guesswork and blind spots out of the equation by producing a clear, intelligent framework for thinking strategically about your assets.
Ultimately, security all comes down to people, and in most companies, there are gaps between the people who handle security, the information about the assets being secured, and the ability to communicate that information within the business.
Security must evolve from something that’s perceived as a necessary cost to a profit enabler that sets the company apart from its competition and assures customers they can trust your organization. Historically, the solution to security has been to throw money at a problem. But by managing security and the IT portfolio correctly, you’ll clarify your organization’s needs, which will save a significant amount of money and open opportunities for new strategic initiatives for long term growth.
Increasingly, information security is a matter of public concern. Customers must be able to trust your organization, and every data breach makes them more skeptical of companies’ ability to deliver. Buy-Hold-Sell outlines the steps that will let you provide the trust that people seek. The internal security message will become, “With me by your side, our organization will be better than ever.”
Being able to articulate the security of the IT portfolio provides an opportunity to rise through the ranks to become a CIO or even a CEO. And statistics show that CIOs are becoming ever more valued members of the C-suite, with two-thirds interacting with the CEO and CFO at least once a week, according to the latest Society for Information Management IT Trends Survey. What’s more, CIOs spend an average of 46.3% of their time interacting with the business — more time than they spend interacting with their own IT team.
This is a crucial time for CIOs as the tide turns in their favor. The industry is heading toward a security model, and Buy-Hold-Sell gives CIOs the voice they need to harness a secure future.Your IT landscape is your home away from home. When you close a valueless, vulnerable side door, you open a whole new level of business value and opportunity.