There are many security leaders across the globe that experience the hardship of budget reduction every year or during uncertain times for the business. Not only that, but these leaders are also given the responsibility to either maintain the security program in its current state or told to improve the security maturity of the program with budget cuts.  

You might ask yourself, why would a business cut costs in cybersecurity when it is considered a top priority for most organizations and boards? Some contributing factors include C-Suite changes, uncontrolled cost, but the most common reason nowadays is the anticipation of a downturn in the global economy.  

Although these situations may not be ideal, all is not lost. There are ways to optimize cybersecurity cost without completely compromising an organizations overall security posture. We examine seven levers that can be pulled during times of economic uncertainty to minimize costs, without compromising security (see Figure 1 below). 


Figure 1: AlixPartners Cybersecurity Cost Optimization Framework 


What are the levers of cybersecurity cost optimization? 

Cybersecurity programs are known to cost organizations money and are deemed as “non-revenue generating”. On the flip side, a cybersecurity program is pivotal to organizations and help save millions, and in some cases, billions of dollars in fines, breach costs, lawsuits, and much more. Here are seven cybersecurity cost optimization levers a company can implement without compromising security: 

1. Simplify 

Simplifying cybersecurity may sound like an insurmountable task to most cybersecurity professionals but the reality is, it’s doable. “Simplify” means cutting down or reducing, which requires us to assess what we currently have and take action to make a change. Some steps that can be taken to simplify a cybersecurity program include assessing the current cybersecurity tool stack and vendor contracts, centralizing security insights, and revisiting the operating model.  

In order to not compromise security, organizations must categorize the tools in the existing stack as “required”, “nice to have”, “can be eliminated”. If a security tool is deemed “required”, that means the removal of the tool would compromise the overall security of the organization and the features cannot be substituted by another tool (Additional information regarding tools rationalization can be found in the “right-size” lever below). A similar exercise can be done with the list of cybersecurity vendors. Additionally, centralizing logs and eliminating unused log types can reduce storage costs and provide the security team with more valuable insights to address potential attacks. 

Further, revisiting the operating model not only helps to simplify technology, but also the people and processes; and ultimately reduces costs. Cybersecurity leaders should ask themselves “Which skills do we need on our cybersecurity team?”; “Do we have the right resources, in the right places, doing the right things?”; “Will there be an impact on the security posture if we update the organizational structure?” 

2. Renegotiate 

As Chester Karrass once said, “In Business, you don’t get what you deserve, you get what you negotiate”. Negotiating, or in this case “Re-negotiating” requires cybersecurity programs to review existing vendor contracts and identify options that can reduce overall costs. This does not mean that services and products need to be eliminated. It means the agreement requires updates to potentially get more for less. This involves identifying vendors that provide products and services and discussing if they can do better.  

For example, if a cybersecurity program decides to eliminate a security tool that was being managed internally; can the existing Managed Security Service Provider fill the security gap without raising the cost or minimally increasing the cost of the current agreement? 

Cybersecurity organizations should revisit vendor agreements to seek better terms by updating contract language and adding specific Service Level Agreements that may have been broad initially. As a result, the information provided by these vendors become meaningful and may fill an existing security visibility and security capability gaps. Re-negotiating does not mean cybersecurity programs will become immature. It can result in cybersecurity programs tightening their expectations, increasing services, and gaining better insights.  

3. Prioritize  

Organizations cannot employ effective security practices without robust risk management in place. Measuring risks in terms of annualized loss expectancy is integral to the process. Prioritizing security investments based on the reduction in the organization’s annualized loss expectancy minimizes expenditure on unnecessary controls, while delivering the highest return on security investment.  

A prerequisite to effective investment prioritization is an understanding of the value of the assets which the organization is protecting. Weighing investment decisions against the value of the assets prevents the implementation of measures which can be more costly than the value of the asset the measures are designed to protect. 

 4. Right-size  

Technological controls are the answer to some, but not all, problems. Often, security functions adopt a technology-oriented approach to mitigating risks, which can lead to an over-abundance in tooling and licensing. 

Right-sizing is the process of identifying overlapping security capability by interviewing security teams and examining available tooling. Often, siloed security teams duplicate effort and don’t tend to use all tooling available to them, which presents rationalization opportunities. 

How does reducing the resources available to the security function impact defense in depth? The distinction between technological solutions that are almost identical in capability and layering distinct controls that have an additive effect is key to informing ‘right-sizing’ decisions. The latter improves security posture, while the former has a negligible impact on security. As such, when security resources are weighed against implemented security controls, opportunities to optimize costs can be identified without impacting overall security posture. 

5. Re-engineer/Re-platform 

Most organizations feel overwhelmed by the amount of cybersecurity alerts that existing tools produce. As a result, companies hire more security professionals to “throw at the problem”. An alternative to this is re-engineering or re-configuring existing security tools to remove false positives and provide more meaningful alerts. Cost savings can be achieved by reducing the amount of full-time employees, contractors, or Managed Security Service Providers (MSSPs) required to monitor security tools by just re-configuring the tools to be more efficient and effective. Cybersecurity programs can also assess existing processes and interconnections between other teams to uncover areas that can be re-engineered and made more efficient.  

Re-engineering security tools usually improves the security posture of an organization to better identify, detect, and respond to potential attacks. Further, re-engineering processes can result in “non-security” processes being offloaded to the responsible teams. As a result, this can reduce overall cybersecurity program spend and will allow security team members to focus on processes that impact the overall security posture of the organization.  

6. Automate 

The operational duties carried out by security teams can become resource-intensive when the processes are manual and scaled across the size of the organization. For instance, the process of allocating roles and responsibilities to hundreds of thousands of identities requires a significant portion of time. Security functions are also burdened with high volumes of vulnerabilities every week, which require remediation within short timeframes. Manual vulnerability and patch management processes place superfluous strain on stretched security teams, which reduces the likelihood of meeting remediation targets and increases the organizational attack surface. 

Automating the manual processes reduces the number of bottlenecks that curtail the overall security posture. The operational efficiency gains typically outweigh the significant upfront investment in time required to configure automated tooling to minimize noise volumes and the training required for users of the tooling. 

7. Insource/Outsource 

Security teams are often organized in such a manner that staff share overlapping security responsibilities, which can lead to inefficiencies and inhibit the development of the security program. This is compounded when teams form siloed structures with poor communication flows, which yields duplications of effort. 

The key to understanding whether to insource or outsource a security capability is to weigh the maturity, size, availability, and technology requirements against the associated costs and timelines. Outsourcing security services provides organizations with quick access to a mature capability that may be otherwise resource-intensive to develop internally. Whereas, insourcing a capability can provide more control and direction over the capability, while providing cost saving opportunities in the long-term.  

Getting started: What can you do next?  

The seven levers discussed here (simplify, re-negotiate, prioritize, right-size, re-engineer/re-platform, automate, and insource/outsource) provide organizations with a toolkit to enact change. Positive changes to the team can be realized as a result of optimizing cybersecurity costs, such as enhanced collaboration, greater transparency, and stronger relationships with strategic partners. 

Knowing where to begin can be challenging since organizations need to take a holistic approach to identify which of the seven levers to exercise. These levers should be balanced against the people, processes, and technology that underpin the security program. The steps you can take to begin the cybersecurity cost optimization journey are as follows:  

  1. Conduct an assessment: Perform a cybersecurity cost optimization assessment that includes the seven levers discussed to uncover areas of improvement and gain insight into how security maturity and security risks may be impacted. 

  1. Find the efficiencies and balance: Review the security program operating model, organizational structure, and service delivery model to identify efficiencies. 

  1. Develop a path forward: Define the security program blueprint for action that details the cost saving initiatives implementation plan. 

  1. Implement cost optimization guardrails: Balance expenditure against the strategic objectives of the security program and maintain costs within the desired bounds. 

AlixPartners works with senior leaders across organizations to efficiently identify, quantify, and implement cost optimization opportunities for cybersecurity programs. A QuickStrike assessment of cybersecurity program expenditure is a helpful way for organizations to prepare to minimize spending, maximize efficiency, and extract the most value from security investments. If you would like to discuss our cost optimization QuickStrike assessment, please contact one of our experts below.  

 

Beth Musumeci - Partner & Managing Director, Global Cybersecurity Leader 

Megha Kalsi – Cybersecurity Leadership