In the wake of a global pandemic, a CIO of a large tech firm asked the chief information security officer (CISO) to reduce spend by 10%. Unfortunately, limited budget experience and a lack of strategic planning for times of uncertainty can make cost reduction and broader cost optimization a challenge for CISOs. Further, CISOs risk missing out on potential opportunities by focusing only on cost reduction instead of strategizing for cost optimization.
“ By 2023, 30% of a CISO’s effectiveness will be directly measured on the ability to create value for the business”
Security and risk management (SRM) leaders need an effective cost optimization strategy to help them prepare for budget cuts before they’re asked to make them. This includes building adaptable “budget scenarios” and balancing efforts to ensure their budget portfolio drives efficiency, productivity and optimization. When CISOs combine these two initiatives, they’ll be ready for any budget changes their CIO puts in place, creating successful business continuity and adding overall value to the organization.
Facilitate business outcomes
By 2023, 30% of a CISO’s effectiveness will be directly measured on the ability to create value for the business.
Focusing on optimization amid budget cuts can include exploring alternative delivery platforms, outsourcing, increased spend, employee retention and other mechanisms. But as leaders are often ill-prepared for budget pressure, adapting to this new budget model can prove difficult.
SRM leaders can apply these two techniques for a better understanding of cost optimization initiatives across the organization.
Read more: 7 Security Areas to Focus on During COVID-19
Balance cost optimization efforts to ensure you are not solely focused on “spend reduction”
Effective cost optimization strategy is about balancing efforts across major portfolios of services. Often, a more strategic change as opposed to an easy cut can result in long-term savings that leaders may not initially recognize. If overall cost optimization efforts are out of balance, meaning overly focused on one piece rather than distributed, the cost op won’t be as effective. Gartner suggests four paths that can be taken, individually or together:
In times of economic uncertainty, sacrifices and concessions will have to be made. For example, you may need to get creative and use a combination of open source and paid services. You may decide to forgo your on-premises security operations center for a hybrid model that prioritizes a SaaS model. The goal is to reduce unit cost.
Cost savings within security/IT
Leaders need to identify opportunities to reduce or eliminate baseline costs. For example, consider automating/triaging manual tasks such as log management, or outsourcing operational capabilities, such as monitoring to a managed security service provider with a goal of increasing technology efficiency.
You may also decide to take on your organizational structure and delegate security functions such as architecture, system engineering and development to relevant teams in IT-business.
Read more: 3 Kick-Off Initiatives for Cost Optimization
Joint business and security cost savings
Cost optimization efforts here should provide a dual impact on both the function and the business, achieved through modernization, different delivery platforms and alternative acquisition models. For example, you may decide to make concessions in your password access protocols and implement a self-service reset tool.
This area is where value generation tends to happen. For example, you may decide to adopt a new identity provisioning system to be executed by business owners and HR.
These paths will also highlight whether the organization has mixed cost savings with other optimization techniques, such as business restructuring and innovation, to prepare the organization for a return to growth.