Security teams are doing their best to keep employees online and secure during this extended period of working from home, but as we move towards the end of the year, budget cuts will be inevitable and security staff will invariably have to do more with less. In fact, Gartner’s senior finance leaders are suggesting teams could be facing reductions of 10% or more* this year.
Currently there is a greater focus on proving business value and CISOs can expect this trend to continue into 2023. Now is not the time for a “head-in-the-sand” approach to security expenditure. While recent global events may have accelerated decisions to cut costs, the concept has been brewing for some time. In 2019, we predicted a gradual move to consolidate and optimize security tools to simultaneously de-dupe and achieve cost efficiencies.
This new spotlight on costs may feel uncomfortable for many CISOs who find it difficult to prove ROI on expenditure; however, there are a few guidelines that can be put in place to help weather the storm.
The Key Phases of Crisis Management
Early and proactive preparation for budget cuts will elevate the
security function from a cost center to one that provides business
value. As we begin to transition back into regular business
operations, organizations will be in different phases of crisis
management (Figure 1), so the first step is to identify the crisis
phase the organization is working around and develop a supportive strategy.
Figure 1: Phases of crisis management
Taking Stock of the Situation
Once it is determined what phase the organization is in, the next
step is to gather relevant data that will support any cost
optimization efforts. This can include:
-
Benchmarking: Create a record of how the sector is performing
versus how the entire organization is performing.
-
Validating security: Every proactive plan requires setting a
baseline from which to start. With security
validation, output can be generated that explains how well
security tools and procedures are performing. Security validation
helps to identify where duplicated tools exist and where there are
gaps, which will help security leaders accurately target areas where
expenditure can be reduced. And because security validation is an
ongoing, continous activity, teams will be able to track how tools
are performing over time, which will help prove ROI.
-
Threat intelligence: Vectors such as phishing, social
engineering, credential theft and nation-state attacks will operate
at a different pace in volatile periods, so gaining an understanding
of the threats that matter to the business is critical. Timely and
relevant threat
intelligence helps organizations understand what is important
and what it all means, so security teams are able to prioritize and
manage risk proactively.
-
Organizational goals: How have business goals changed and
what are competitors doing? Using assessments to proactively
evaluate your organization’s ability to effectively prevent, detect
and respond to threats, and in turn, improving processes,
technologies and overall security posture.
With this newfound knowledge, it will be possible to build adaptable
budget scenarios that reflect an organization’s environment. These
should include strategic steps to take in order to respond to each
scenario, complete with a best-case and worst-case approach.
Prioritize Investments
The results from the security validation process—combined with cyber
threat intelligence—will help teams identify what they need to test
for in their environments so they can begin making the right
investments. Prioritizing these investments will demonstrate to key
stakeholders that the security team is achieving a balance between the
need to address key areas of risk and the need to achieve business
goals. Plotting the level of cyber security risk facing each
department or business unit against the value it brings to the
organization will not only help to communicate decisions, but will
assist in the prioritization of activities.
Think Cost Optimization, Not Cost Reduction
When the focus is solely on reducing costs, teams could be missing
opportunities to address issues, fix security gaps and improve overall
security effectiveness. This is why we recommend taking a proactive
versus reactive approach to achieving cost optimization. Elements to
consider are:
-
Security contract negotiation/renegotiation: Getting the best
price and terms for security purchases and consolidating vendors
where necessary.
-
Security effectiveness: Identifying potential for improving
processes to deliver workforce and technology efficiencies.
-
Portfolio optimization: When working at scale, investigate
whether automation of procedures will be beneficial.
-
Aligning workforce skills: With a focus on assisting business
recovery, this may require redundancies, additional hires,
reallocation of skills or talent sharing.
In most cases, cost optimization initiatives will involve a
trade-off between the cost saved and the risk associated with a change
in activity. Every option should be appraised to determine whether the
potential value it delivers outweighs any risks. Assessing the pros
and cons will help prioritize the tasks to tackle first while
minimizing risk exposure.
For more information on cost optimization techniques, download the
Gartner Report, 5
Steps to Cost Optimization for Security and Risk Leaders in
Uncertain Times.
*Gartner (April 2020). 5 Steps to Cost
Optimization for Security and Risk Leaders in Uncertain Times.