Cybersecurity will not escape cost reduction

Cyberrisk Management & Strategy

Posted on

Let’s not lie to ourselves: it sometimes feels like cybersecurity lives in a bubble. CISOs are fed up with benchmarks (10% of the IT budget, 1 FTE for 400 employees, etc.), leading them to multiply major investment programs, sometimes costing hundreds of millions of dollars. It is no longer rare today to come across security teams reaching several hundred or even thousands of employees…

However, for some time now, some executive committees are no longer as generous and require more effort from the IT Security sector. It is well known that it is not easy to prove the effectiveness of the means committed, and some CISOs find themselves struggling to even maintain their annual budget. The post-COVID situation may not help, and we can think that there is no reason why cybersecurity should escape the imperatives of future savings.

In the field, the following three levers may present opportunities to optimize the costs in the IT Security industry: 1. review of the Operating Model, 2. contracts optimization, 3. automation and offshoring.

 

1/ REVIEW OF THE OPERATING MODEL

To optimize an IT Security Operating Model, the question of redundancy must be quickly addressed. The observation is often the same from one company to another: the IT Security industry has grown very quickly, and different teams have very similar or even redundant missions. Many service providers can attest to this: it is quite common to be called upon several times for the same study within a Key Account, in several different entities. Even if some companies are considering to deal with this subject by a complete centralization of the security team (some recent examples in the industry), the key is rather to gather at least the cyber expertise in a centralized way and to structure service offers that can be used by all: pentests, SOC, redteam, policy writing, awareness…

Be careful, this may represent a major change in stance for many CISO teams, which move from a role of prescriber to a role of service provider with all its facets (SLA, quality measurement, and even penalties). However, it is an excellent way to eliminate redundancies, optimize costs and clarify responsibilities in the process.

 

2/ CONTRACTS OPTIMIZATION

Purchasing contracts often account for more than half of the IT Security industry’s expenses and can obviously present excellent avenues for optimization. Many companies have multiplied the tactical deployment of security solutions and it is not uncommon to find situations with 4 types of IPS, 3 EDRs and 3 SIEMs… A simple way to regain control and optimize costs is to return to the use of a catalogue with centrally negotiated prices: maximum 2 products referenced per technology and an obligation for all entities to use the catalogue. The results can be spectacular by playing on volume effects.

Same approach for services: the aim is to avoid scattering contracts and to ensure competition. In the field, there is typically a trend towards contracts optimization that do not require specialized cyber expertise: project management, change management… From experience, it is quite simple to get 10%-15% off the daily rates, the panel of companies being much larger for this type of task. However, security value must be kept: it is not a question of lowering the guard on expertise or cyber strategy.

 

3/ AUTOMATION AND OFFSHORING

Automation can also be an optimization avenue to be explored in the medium term. Especially since the movement is already underway: SOAR solutions for incident handling, automatic learning for anomaly detection, deployment of measures in the Cloud… Many cyber security activities are currently seeking optimization through the automation of repetitive tasks. The results are obviously not immediate, but the current economic climate clearly risks boosting projects of this type.

An offshore strategy, on the other hand, can have much more immediate results, but beware of rushed projects. Offshore security activities are anything but tactical and require a great deal of framing work to understand the specificities of each country, to establish proximity with local management, and above all to integrate offshore seamlessly into the IT Security operating model. Successful offshore operations involve up to 20% of the industry’s offshore workforce. The key to achieving such volumes is to focus on providing standardized offshore services (operations, vulnerability scans, translation, etc.), and to limit extended teams, which can be attractive on paper but often counter-productive because they are complex to manage.