Industry Perspectives

The Cost Factor: Taking a Proactive Approach to Cyber Security ROI

Security teams are doing their best to keep employees online and secure during this extended period of working from home, but as we move towards the end of the year, budget cuts will be inevitable and security staff will invariably have to do more with less. In fact, Gartner’s senior finance leaders are suggesting teams could be facing reductions of 10% or more* this year. 

Currently there is a greater focus on proving business value and CISOs can expect this trend to continue into 2023. Now is not the time for a “head-in-the-sand” approach to security expenditure.  While recent global events may have accelerated decisions to cut costs, the concept has been brewing for some time. In 2019, we predicted a gradual move to consolidate and optimize security tools to simultaneously de-dupe and achieve cost efficiencies.

This new spotlight on costs may feel uncomfortable for many CISOs who find it difficult to prove ROI on expenditure; however, there are a few guidelines that can be put in place to help weather the storm.

roi

 

The Key Phases of Crisis Management

Early and proactive preparation for budget cuts will elevate the security function from a cost center to one that provides business value. As we begin to transition back into regular business operations, organizations will be in different phases of crisis management (Figure 1), so the first step is to identify the crisis phase the organization is working around and develop a supportive strategy. 


Figure 1: Phases of crisis management

Taking Stock of the Situation

Once it is determined what phase the organization is in, the next step is to gather relevant data that will support any cost optimization efforts. This can include:

  • Benchmarking: Create a record of how the sector is performing versus how the entire organization is performing.
  • Validating security: Every proactive plan requires setting a baseline from which to start. With security validation, output can be generated that explains how well security tools and procedures are performing. Security validation helps to identify where duplicated tools exist and where there are gaps, which will help security leaders accurately target areas where expenditure can be reduced. And because security validation is an ongoing, continous activity, teams will be able to track how tools are performing over time, which will help prove ROI.
  • Threat intelligence: Vectors such as phishing, social engineering, credential theft and nation-state attacks will operate at a different pace in volatile periods, so gaining an understanding of the threats that matter to the business is critical. Timely and relevant threat intelligence helps organizations understand what is important and what it all means, so security teams are able to prioritize and manage risk proactively.
  • Organizational goals: How have business goals changed and what are competitors doing? Using assessments to proactively evaluate your organization’s ability to effectively prevent, detect and respond to threats, and in turn, improving processes, technologies and overall security posture.

With this newfound knowledge, it will be possible to build adaptable budget scenarios that reflect an organization’s environment. These should include strategic steps to take in order to respond to each scenario, complete with a best-case and worst-case approach. 

Prioritize Investments

The results from the security validation process—combined with cyber threat intelligence—will help teams identify what they need  to test for in their environments so they can begin making the right investments. Prioritizing these investments will demonstrate to key stakeholders that the security team is achieving a balance between the need to address key areas of risk and the need to achieve business goals. Plotting the level of cyber security risk facing each department or business unit against the value it brings to the organization will not only help to communicate decisions, but will assist in the prioritization of activities.

Think Cost Optimization, Not Cost Reduction

When the focus is solely on reducing costs, teams could be missing opportunities to address issues, fix security gaps and improve overall security effectiveness. This is why we recommend taking a proactive versus reactive approach to achieving cost optimization. Elements to consider are:

  • Security contract negotiation/renegotiation: Getting the best price and terms for security purchases and consolidating vendors where necessary.
  • Security effectiveness: Identifying potential for improving processes to deliver workforce and technology efficiencies.
  • Portfolio optimization: When working at scale, investigate whether automation of procedures will be beneficial.
  • Aligning workforce skills: With a focus on assisting business recovery, this may require redundancies, additional hires, reallocation of skills or talent sharing.

In most cases, cost optimization initiatives will involve a trade-off between the cost saved and the risk associated with a change in activity. Every option should be appraised to determine whether the potential value it delivers outweighs any risks. Assessing the pros and cons will help prioritize the tasks to tackle first while minimizing risk exposure.

For more information on cost optimization techniques, download the Gartner Report, 5 Steps to Cost Optimization for Security and Risk Leaders in Uncertain Times.

*Gartner (April 2020). 5 Steps to Cost Optimization for Security and Risk Leaders in Uncertain Times.