Not every conversation a CISO is having with the Board should be about asking for a budget increase or FTE uplift. On the contrary, with the squeeze on security budgets, it can be an opportunity to demonstrate how you do more with less.
To demonstrate business value and achieve desired impact, a CISO’s cyber security strategy should go beyond cyber capability uplift and risk reduction and also improve cost performance.
Security leaders don’t have unlimited resources. Significant security transformation, however, can be achieved leveraging existing investment and security resource levels.
The propose of this blog is to broaden your perspective and enable you to start seeing the ways things can be done more cost-effectively.
Below are some examples of tangible cost savings that can be delivered without compromising on the security posture. Significant efficiencies can be gained through:
Automation: find ways to automate manual activities and routine tasks like ongoing evidence collection. Try writing custom scripts rather than purchasing off-the-self solutions. This can reduce the FTE requirement.
Consolidation: look for opportunities to consolidate security vendors across different parts of the business to leverage economies of scale and save on technology costs. Reducing duplicating capabilities can also reduce complexity and improve overall security outcomes. Specifically, this can minimise ongoing operation, maintenance, implementation, integration and procurement effort.
Simplification: explore retiring resource intensive processes or reducing their frequency. Target controls may already operate effectively, so they can be reviewed without negatively impacting security posture. This can minimise the ongoing FTE requirement.
Innovation: looks for ways to do things differently. For example, shift to continuous compliance from point-in-time assessments to reduce manual labour and associated FTE requirement.
Rationalisation: similar to consolidating security vendors, find ways to disengage or replace underused security tools and services to lower the total cost of ownership. This has an added benefit of reducing potential misconfigurations and overall attack surface.
Streamlining: look to standardise and harmonise compliance and BAU security processes across different geographies and business units to gain efficiencies and reduce FTE requirement.
Open-source solutions: leverage open-source solutions where appropriate to save on ongoing licensing costs.
Contract renegotiations: review your service provider relationships and contracts. Consider rotating your security suppliers if costs keep increasing year-on-year while service levels may be going in the opposite direction. Leverage renewal cycles to better understand your requirements and scope in light of continuously evolving business and threat landscape.
In-sourcing: can you leverage the security team structure and in-house skills to save on consultancy and managed services fees for security tooling implementation and ongoing support? Or will outsourcing be more beneficial? Assess various scenarios and engage the CFO to align on options and cost structure.
There are, of course, pros and cons to the above items and you don’t have to opt-in to implement all of these. Consider the context in which you operate. Some costs savings can be achieved through, for example, reducing cyber insurance premiums for your business. This can further help demonstrate financial benefits of cyber security.
Cyber Security Leadership 
1 Comment