More than ever before, organizations are asking their cybersecurity teams to find savings, delay expenditures and get more value from their budgets.
While pushing vendors for price concessions, decreasing pay, or even laying-off employees are options, IT leaders should use the pandemic as an opportunity to rethink their overall approach and find sustainable strategies to maximize the ROI from their IT security investments.
1. Be Business Driven
In order to do this, you must first have the relevant business data to make decisions.
Prioritize key outcomes from your cybersecurity program such as reducing risk, preventing data theft, and meeting compliance mandates. Frameworks such as NIST CSF, ISO 27001, CIS 20, COBIT, and HITRUST are useful tools, but aligning with something like the Sherwood Applied Business Security Architecture (SABSA) methodology allows for the prioritization of projects based on the business context and value. It is important to stay strategic and align cybersecurity outcomes with key business objectives.
Analyze your existing and planned spending in support of prioritized outcomes. Things to consider include the cost of employees, contractors, services, technology, support contracts, and infrastructure. Understand the variability of costs over a short-term and long-term basis. Some costs may be locked in over the term of a contract while others may be more easily reduced or eliminated. Many vendors and MSPs have utility-based pricing, that not only allows you to shift to an OpEx model but provides the flexibility to pay for actual usage as opposed to max capacity potential in advance.
2. Maximize the Value of Existing Tools
Many organizations do not take full advantage of the products they have. This may be due to a skills gaps, incomplete implementation by the vendor, or simply because the original champion for the product has left the company. Whatever the reason, getting more out of your current tools improves cybersecurity outcomes and can delay spending on potentially unnecessary technology refreshes. Ask your vendors for free or low-cost training options and request a product roadmap briefing. You may find the functionality you think is missing is available for free in the next update.
In some cases, you may also find that spending money on external resources will help you better leverage a product’s capabilities. For example, in our experience many organizations only effectively use 50% of the functionality of next-generation firewalls (NGFWs). This is often due to incorrect or incomplete configurations and poorly defined standards. Partnering with a Managed Security Service Provider (MSSP) with mature operational processes and the necessary skills can help you maximize your investment in existing technologies, such as NGFWs or next-generation endpoint software.
3. Get Creative with Staffing
Employee costs make up a significant percentage of a typical organization’s budget – which means it’s also an area where there can be cost savings. It is important to maximize productivity by a combination of accomplishing more from existing staff and keeping salaries of new hires at reasonable levels.
Even before COVID reset the norms around working from home, the role of security in the digital transformation was a hot topic. The pandemic has accelerated aspects of the digital transformation specifically forcing the rethink of the traditional workspace and adding a layer of workforce monitoring at a scale that most organizations were not ready for, but it’s opened many employers and employees up to the idea of remote working or telecommuting. By considering a remote workforce from an expanded geographical base, you can reduce the cost of labor and access a larger pool of skilled professionals. In addition, you should consider hiring interns. While many organizations see their intern program as way to recruit and train future full time employees, interns often provide immediate value by off-loading entry-level but time-consuming tasks from other team members.
Look at how you can maximize productivity of your current team by analyzing what work can be automated or even eliminated. Removing mundane tasks from the to do list of skilled resources allows team members more time for professional growth which is more cost effective than hiring new resources to cover skills gaps. Implementing productivity improvement initiatives, such as streamlining workflows or implementing SOAR automation, allows staff to free up time to focus on other priorities or even engage in further training.
4. Outsource Security Operations
A Security Operations Center (SOC) plays a critical role in helping protect organizations from damaging cyberattacks and meet compliance mandates. The primary function of a SOC is threat identification, analysis and response.
Standing up an in-house SOC is complex, time-consuming, and expensive. Studies have shown that the cost of building an in-house SOC can be five times more expensive than outsourcing. Based on our industry analysis, the breakeven point where an in-house SOC makes economic sense, starts at organizations with over 500 security appliances and more than 10 000 employees. This assumes a 75% utilization of all resources and no advanced capabilities like Red Teams or threat intelligence research. It is often more effective for smaller organizations to focus resources on strategic planning and architectural work level and to outsource the more operational functions to a service provider.
Most organizations cannot justify a big enough team to support the range of functions needed for around-the-clock security operations. A 24/7 SOC operation with a 3 tier Analyst team would require 8 X level 1, 5 X level 2, and 3 X Level 3 Analysts, this however is only productive at scale, and for a small organization these resources will be significantly under utilized. Additional team members, with specialized skills such as SIEM administration, use case development, threat hunting, and incident response, are needed to mount an effective cyber defense. For all but the largest organizations, partnering with MSSPs provide significant cost savings and is far more effective.
Acquiring, integrating, and tuning software is another challenge for organizations considering building an in-house SOC. In our experience, many businesses find that the software subscription for an enterprise SIEM is comparable to an MSSP’s fees for a complete service. In an outsourced model, an organization only pays for the actual utilization of the resources when a shared resourcing model is leveraged. And consuming infrastructure on a utility basis allows for more flexibility to ramp up and down without the burden of fixed costs.
While switching to an MSSP is economically beneficial, the real motivation should around the efficacy of the service and improved cybersecurity outcomes. Next-generation MSSPs and MDR service providers bring their clients’ superior threat visibility and best-in-class threat response and containment. Operational maturity is immediately improved when an MSSP is leveraged.
5. Consolidate and Rationalize
Studies have shown that consolidation of vendors and technologies significantly increases effectiveness of solutions and significantly reduces operational costs. There are more than 1600 security vendors in the US market alone, which has created this culture of purchasing the best of breed technologies to fill perceived gaps in the architecture. Adding devices and technologies amplifies the skills gap and more often than not reduces the effectiveness of the security controls. On average, proactive operations of a device, irrespective of its function, requires about 6.4 hours of effort per month.
By identifying the overlapping capabilities across technologies and removing the redundant functionality through the elimination of the point solutions, an organization often will cover the gaps in the headcount through the cost savings from technologies that do not need to be renewed and maintained as well as a reduced skills requirement.
The selection of a security platform to meet the control and monitoring requirements that has the ability to integrate into the rest of the corporate network and data center infrastructure has been shown to be significantly more efficient and cost effective. The benefit of integration offsets functional advantages of point products.
Managed Detection is achieved through effective configuration of technologies that allows for tighter controls and effective visibility into network and endpoint activity. Reducing the amount of the devices and technologies sending log data, through the removal of ineffective technologies and enhanced enrichment with business context, provides for more accurate threat detection and decreases false positives allowing analysts to more effectively investigate and hunt threats.
IT leaders also need to carefully balance the impact of incremental expenditures on risk reduction. For example, the volume of log data ingested by a SIEM (measured in terms of GB/Day or Events Per Second) drives software subscription fees and storage costs. By carefully selecting the type and quantity of log data and combining use case analytics, correlation rules, and threat intelligence, you can keep costs minimized while still ingesting data critical for threat detection.
Businesses have always struggled to determine what is the right budget for cybersecurity and this not likely to change. The COVID environment only increases and complicates this challenge.
Gartner’s revised forecast for information security spending in 2020 went down from 8.7% to 2.4%. They stated, “The coronavirus pandemic is driving short-term demand in areas such as cloud adoption, remote worker technologies and cost saving measures.”
Boards and executive management are looking for CISOs to educate them on how to fund this critical function and for well-thought-out ideas to keep their organizations protected while maintaining a tight budget.