By Shrikant Shitole, Vice President & Country Head (India & SAARC), FireEye
Many businesses have responded to COVID-19 guidance by focusing on stability and crisis response management. Security teams are doing their best to provide online access to their employees while keeping them secure during this extended period of work from home. However, this accelerated pace of digital adoptionby the remote workforce, coupled withthe rising pressure of shrinking IT budgets, businesses are becoming increasingly vulnerable to security risks.
While there is greater focus on providing business value, and CISOs can expect this trend to continue into 2023, now is not the time for a “head-in-the-sand” approach to security expenditure. New surveillance on costs may cause discomfort for many CISOs who find it difficult to prove ROI on expenditure. However, there are a few guidelines that can be put in place and an early proactive preparation for budget reductions will help elevate the security function from a cost center to one that provides business value.
As the world resumes its transition back to regular business operations, organizations will be made to face different levels of crisis management. In this scenario, the first step is to identify the crisis phase and then develop a supportive strategy to work around.
“Ounce of Prevention is Worth a Pound of Cure”
Once the phase of organization is determined, the next step is to gather relevant data that will support any cost optimization efforts. This can include:
● Benchmarking: Organizations need to create a record of how their respective sector is performing versus how the organization is performing. Comparing performance metrics also provides the necessary insights for businesses to scale and grow.
● Validating security: In cybersecurity, the most significant check is the validation of controls. Today, all organizations are expected to validate and gauge security controls against security threats. Security validation is the baseline for planning cybersecurity ROI. With security validation, output can be generated which explains how well security tools and procedures are performing while helping identify where duplicated tools or gaps exist. This in turn will help security leaders accurately target areas where expenditure can be controlled or reduced. Being an ongoing process, security validation assists the team in tracking the tools’ overall performance, making it easier to boost ROI.
● Threat intelligence: Vectors such as phishing, social engineering, credential theft and nation-state attacks will operate at various levels during volatile periods.A sound understanding of the threats that matter to the businesses is crucial. Timely access and visibility of threat intelligence helps organizations understand what is important, and prioritize accordingly to manage risks proactively and efficiently.
● Organizational goals: Organizational goals are strategically set objectives that outline expected results and guide employee efforts. It is vital for every organization to constantly assess business goals in order to proactively evaluate their organization’s ability to effectively prevent, detect and respond to threats.This in turn helps improve processes, technologies and overall security stance.
Abiding by these guidelines, it will be possible to build adaptable budget scenarios that reflect an organization’s true environment. These should include strategic steps to take in order to respond to each scenario, including best and worst case approaches.
Prioritize Investments
Making the right investments is key to optimal functioning of an organization. The results from the security validation process—combined with cyber threat intelligence—will help teams identify what they need to test for in their stipulated environments. Prioritizing these investments will demonstrate to key stakeholders that the security team is achieving a balance between the need to address key areas of risk and the need to achieve business goals.
To assist in decision-flow, communication and prioritization of activities, it is crucial to outline the intensity of cyber security risk encountering each department or enterprise against the value it brings to the given operational units.
Cost Optimization is Key
If the focus is solely on reducing organization costs, teams could be missing opportunities to address issues, close security gaps and improve overall security effectiveness. A proactive versus reactive approach is crucial to achieve cost optimization.
Elements to consider are:
● Security contract negotiation/re-negotiation: Getting the best price and terms for security purchases and consolidating vendors where necessary.
● Security efficacy: Identifying potential for improving processes to deliver workforce and technology efficiencies.
● Portfolio optimization: When working at scale, investigate whether automation of procedures will be beneficial.
● Aligning workforce skills: With a focus on assisting business recovery, this may require redundancies, additional hires, reallocation of skills or talent sharing.
In most cases, cost optimization initiatives will involve a trade-off between the cost saved and the risk associated with a change in activity. Every option should be appraised to determine whether the potential value it delivers outweighs any risks. Assessing the pros and cons will help prioritize the tasks to tackle first while minimizing risk exposure.