In the wake of a global pandemic, a CIO of a large tech firm asked the chief information security officer (CISO) to reduce spend by 10%. Unfortunately, limited budget experience and a lack of strategic planning for times of uncertainty can make cost reduction and broader cost optimization a challenge for CISOs. Further, CISOs risk missing out on potential opportunities by focusing only on cost reduction instead of strategizing for cost optimization.
By 2023, 30% of a CISO’s effectiveness will be directly measured on the ability to create value for the business
Security and risk management (SRM) leaders need an effective cost optimization strategy to help them prepare for budget cuts before they’re asked to make them. This includes building adaptable “budget scenarios” and balancing efforts to ensure their budget portfolio drives efficiency, productivity and optimization. When CISOs combine these two initiatives, they’ll be ready for any budget changes their CIO puts in place, creating successful business continuity and adding overall value to the organization.
Facilitate business outcomes
By 2023, 30% of a CISO’s effectiveness will be directly measured on the ability to create value for the business.
Focusing on optimization amid budget cuts can include exploring alternative delivery platforms, outsourcing, increased spend, employee retention and other mechanisms. But as leaders are often ill-prepared for budget pressure, adapting to this new budget model can prove difficult.
SRM leaders can apply these two techniques for a better understanding of cost optimization initiatives across the organization.
Read more: 7 Security Areas to Focus on During COVID-19
Balance cost optimization efforts to ensure you are not solely focused on “spend reduction”
Effective cost optimization strategy is about balancing efforts across major portfolios of services. Often, a more strategic change as opposed to an easy cut can result in long-term savings that leaders may not initially recognize. If overall cost optimization efforts are out of balance, meaning overly focused on one piece rather than distributed, the cost op won’t be as effective. Gartner suggests four paths that can be taken, individually or together:
In times of economic uncertainty, sacrifices and concessions will have to be made. For example, you may need to get creative and use a combination of open source and paid services. You may decide to forgo your on-premises security operations center for a hybrid model that prioritizes a SaaS model. The goal is to reduce unit cost.
Cost savings within security/IT
Leaders need to identify opportunities to reduce or eliminate baseline costs. For example, consider automating/triaging manual tasks such as log management, or outsourcing operational capabilities, such as monitoring to a managed security service provider with a goal of increasing technology efficiency.
You may also decide to take on your organizational structure and delegate security functions such as architecture, system engineering and development to relevant teams in IT-business.
Read more: 3 Kick-Off Initiatives for Cost Optimization
Joint business and security cost savings
Cost optimization efforts here should provide a dual impact on both the function and the business, achieved through modernization, different delivery platforms and alternative acquisition models. For example, you may decide to make concessions in your password access protocols and implement a self-service reset tool.
This area is where value generation tends to happen. For example, you may decide to adopt a new identity provisioning system to be executed by business owners and HR.
These paths will also highlight whether the organization has mixed cost savings with other optimization techniques, such as business restructuring and innovation, to prepare the organization for a return to growth.
Build adaptable “budget scenarios” that reflect the reality of your SRM function
To address operational decisions in times of need, build adaptable budget scenarios that can be performed on a regular basis. This requires CISOs to align with the finance team and partner on the overall cost optimization process. Each budget scenario the teams prepare should be created with three approaches:
Base case (Long-term impact)
This is usually associated with consistent budget cuts across all departments through a longer time frame to ensure cost optimization. Efforts should be targeted at the investments that will deliver the least harm to business goals. For example, security function B was asked to cut spending by 10% every quarter for the next year.
Worst case (Immediate action)
This is usually associated with drastic budget cuts to ensure immediate business survival. Focus on foundational and essential investments that allow you to function in survival mode. For example, function A was asked to cut spending by half by the end of 2Q.
Best case (Maintaining current spend)
Best case is when the business will not be cutting budgets, regardless of the current environment. Best practices should be maintained. Costs should be preserved where investments have been defined as critical to high-value business units. For example, security function C has been asked to maintain the budget, but focus heavily and clearly on delivering business value.
Cost optimization initiatives all come with opportunity cost and risk, each representing some trade-offs. SRM leaders can also explore a three-phase action plan to take a proactive approach to cost management and invest in the future of the business.