The business world is feeling the pinch of the global recession, and as companies look for ways to save money, many are cutting security budgets to stabilise their bottom lines.
While streamlining budgets is necessary, the danger of reduced spending is that companies become vulnerable to providing a sub-standard service, shrinking their customer base and, perhaps most crucially, damaging their reputation and leaving themselves open to security risks.
A report last week found that only 49% of organisations currently have enough budget to meet their current cyber security needs. Yet, over 33% of IT and security professionals said that their budgets would remain static or be reduced over the coming year, which is an actual reduction as inflation continues pushing up prices for external services and equipment.
For organisations where risk, governance and controls spending is lower than it may have previously been, it is now vital for risk professionals to look at cost optimisation to ensure that companies remain protected from security risks through effective budget management.
What is cost optimisation?
Simply put, cost optimisation means using the funds available to achieve the most significant impact for the least money spent. However, this can be a tricky balancing act for chief information security officers (CISOs) as some budget line items are essential for compliance regulations, such as firewalls and anti-virus software.
Often, CISOs have a minimal amount of budget left with which to be creative, but anything they can optimise will help, and there are some recommended strategies to help achieve cost optimisation.
Cost optimisation strategies
In the first instance, it is advisable to have an audit of the current security situation concerning whether the fundamentals of security systems are up to scratch, as this can save money and reduce risk in the long term. If the right foundations are in place, an organisation will be better positioned to protect against a data breach or be resilient in the face of one and make a swifter and more effective recovery if the worst happens.
Dukebridge commented that clients are reporting a culture change where staff adopt a “work with your head up” mentality to try and prevent risks in advance. Investing in getting the basics right and ensuring that teams work together to make the best use of resources optimises budget and can reduce unnecessary spending further down the line.
As well as looking at the structure of systems, it is also worth shopping around for a good deal on the essentials. With increasing cyber security providers entering the market daily, some better deals may be found, freeing up some budget for other use. In addition, as part of the audit process, ensure that longstanding tools and services fit the purpose as risks evolve. No one wants to pay huge chunks of their security fund for a platform that only performs half the functions you might need as requirements change. Products are only worth the money if they sufficiently reduce the level of risk required. If a gap analysis shows that a service is not value for money, you can negotiate a better deal or seek an alternative, more cost-effective solution.
Equally, CISOs may want to review if systems align with the business’s risk tolerance. Spending a budget on complicated cyber security when the company might be comfortable with a slightly higher level of risk would be money wasted, which could be spent elsewhere.
Finally, prioritising risks is vital. Determine which technology must be paid for first to protect the business and then look for ways to save money in other areas, such as automating or outsourcing certain functions such as password reset. A Dukebridge client highlighted how this can apply in practice, saying they are “now investing in risk prioritisation mechanics, which will rank our exposure by how likely it is and how catastrophic the effect would be. By doing this, we are trying to make solutions for them in order of how they ‘rank’ against each other internally”.
Beware of false Economy
Having the right foundations and the most intelligent technology to match your organisation’s risk requirements can go a long way to optimising your budget. However, business leaders should be mindful of making sweeping cuts to workforces or salaries.
While cutting back on staff spending can seem like an excellent way to save money, the benefits can be short-lived and increase risk. Teams with reduced numbers are likely to have to take on a heavier workload meaning that mistakes can be more likely to occur, and therefore the risk of security issues increases. On top of this, professionals working at capacity, potentially with reduced or frozen salaries, are more likely to experience burnout and seek alternative employment. This can cause a retention headache, which can, in turn, increase risk through the loss of experienced talent and increase costs through the need to recruit new staff. This all goes against cost optimisation as it needs to make the ‘best’ use of the budget available as it only focuses on immediate cost-savings, not overall cost-efficiencies.
One way to overcome recruitment, retention and risk management issues when on a tight budget can be to utilise flexible service solutions – often also known as ‘Statement of Work (SoW)’ solutions, ‘hybrid recruitment’ or ‘resource augmentation’. When building and managing a small team with restricted funds, it is crucial to have the right talent with the total mix of skills and knowledge needed to manage the risks at hand. Finding suitable individuals with the right experience can be tricky and time-consuming, and this is where SoW consultancies can help.
These consultancies offer a pre-authorised bench of screened professionals ready to work. They can hit the ground running when they arrive, negating the need for a long-winded and repetitive recruitment process. SoW teams generally also work on a project basis, meaning there are options for interim employment, reducing the risk of taking on new permanent staff and making them redundant further down the line. All of this can save companies time and money, which can be essential to manage reducing budgets with limited resources successfully.
In addition to removing the hassle and cost of finding the right talent, most SoW consultancies offer the option to take on partial or complete financial, output and delivery risk associated with the projects they are working on, helping CISOs to reduce their risk further while also optimising costs.
Overall, managing security on a reduced budget will likely be a significant factor to impact organisations as we move through 2023, but with careful cost optimisation, risk professionals may be able to find a safe path through this rough economic patch.
If you are looking for a team of tech, cyber security, risk, compliance or IT professionals for anything from a small short-term project to a large scale long-term managed contract, get in touch with Dukebridge today and find out how our hybrid consulting services can quickly and effectively fulfil your staffing needs.
Dukebridge services:
We equip our clients to overcome the challenges of meeting business, operational and technology objectives by helping them build, scale and deploy skilled teams quickly and cost-effectively.
We achieve this by providing highly responsive programme/project resources skilled in analysis, project management and execution, whose effectiveness is sustained by our Service Delivery Function. This includes a centralised PMO function that helps achieve project/engagement success by embedding accountability and governance from day one.
