Eighty-two percent of security and risk leaders do not adjust their budgets based on environmental or business impact, which means they operate in a silo and are not aligned with the business.
Without that solid alignment, when a disruption happens, it can be difficult to ensure security is supporting what is important to the organization.
“With any disruption, with any crisis, you’re always going to have uncertainty, and uncertainty has a negative impact on your budget,” said Sam Olyaei, Director Analyst, during the virtual Gartner Security & Risk Management Summit, 2020. “Ultimately there has to be some sort of trigger or change within the budget planning process to navigate past the challenges.”
Gartner suggests five action items to guide security and risk leaders through cost optimization to enable a balanced and valuable outcome.
Action item 1: Identify crisis phase and what actions you will take
Leaders must be able to know which phase of the crisis the organization is currently in to be able to respond accordingly. The first is the respond phase, which focuses on keeping the lights on, essential services and making sure cost optimization is in place. In this phase, an organization might make policies more flexible or focus on tech that provides immediate value.
The next phase is recovery. This is where the strategic cost optimization begins now that leaders can look beyond the day to day. In the recovery phase, optimize for value and manage risk in comparison to cost. Effective security and risk leaders will use this phase to demonstrate value in the business by stretching staff skills and accelerating automation.
The final stage is the renew phase. Discussions will move past cost cuts to drive innovation and exploit opportunities to create value. This is the phase to scale digital with agile practices and prepare for a new normal. Arguably, this is where most leaders differentiate themselves from the rest of the pack.
Action item 2: Equip yourself with data for decision making
Whether it’s gathered from business reports, benchmarking, current state assessment or asset inventory, data is critical. Ideally, you’ll want to use a combination of all the sources to get the best pictures of the organization. Data can be used to move away from making decisions based on legacy or emotions, and toward efficiency and metrics. It will enable you to showcase and highlight how security and risk is making decisions and why you’ve reached a particular conclusion.
Action item 3: Build adaptable and realistic budget scenarios
Although scenario planning isn’t usually a large part of the security and risk business unit, it’s important to plan, test and design budgets for scenarios that you might face in the near or short term.
For example, how would security handle an emergency budget cut, like being asked to cut spending by half through 2Q? What about selective cost reduction of 10% of the budget every quarter? What if security was asked to preserve costs and emphasize growth by maintaining the current budget but focusing aggressively on delivering business value?
Action 4: Align based on business unit value, risk and cost
Consider how to allocate resources to particular business units based on the potential value of each unit as it relates to the business. Look for indicators like revenue, business value or number of employees to help balance risk, value and cost.
For example, at an entertainment company, hospitality has high business value, but a bad risk posture. For security and risk, this represents a true opportunity to increase investment in ensuring better security posture for a business unit that is vital to the overall business.
Action 5: Take a portfolio view of cost optimization
Security and risk leaders need a holistic view of cost optimization. It boils down to two pieces: Supply and demand. Supply has two main areas, security contract management and cost savings, within security. Here are opportunities to negotiate strategies and deliver technology value efficiently.
On the demand side, focus on joint business as well as security and business optimization. This includes activities/actions such as accelerating business outcomes by looking a little further out and enabling new digital business models.