How do you balance increasing cyber risk with decreasing budgets?

Over the past few years cyber security has leapt to the top of the boardroom agenda, with greater understanding of the business and operational risks and the concern of not having adequate protection in place. The KPMG/Harvey Nash and KPMG CIO survey 2020 brought this into sharp focus during the COVID-19 pandemic with the increase in remote working and a corresponding increase in cyber-attacks.

Despite its increasing importance and recognition at the highest levels of business, there remains a budgetary strain on security leaders. In the 2019 edition of the KPMG/Harvey Nash CIO Survey over half (54 percent) of tech leaders said reducing costs is a key business issue they are expected to address. Even more worryingly, according to the KPMG Consumer Loss Barometer 2019, over a third (36 percent) of CISOs do not consider the state of their budget to be adequate. This combined with the belief that over a third (34.5 percent) of organisations have a cyber security skills shortage will continue to apply pressure to cyber security budgets.

COVID-19 has placed even greater pressure on organisational budgets as organisations strive to improve operational efficiency at a time when cyber threats are increasing particularly due to ‘opportunistic’ cyber criminals and state sponsored cyber threat actors.

The answer to pressured budgets and increasing cyber risk can be found in a novel application of an established approach to IT budget management; cyber cost optimisation.

Traditionally, cost optimisation is a well known practice, the business-focused, continuous discipline to drive spending and cost reduction, while maximising business value. According to Gartner, it can include several approaches to obtain the best pricing and terms for all business purchases. Invariably, this also involves standardising, simplifying and rationalising platforms, applications, processes and services.

Cyber cost optimisation involves rationalising the cost of the cyber program whilst maintaining its effectiveness against evolving cyber threats.

Broadly, there are three different approaches for rolling out cyber cost optimisation: survival, tactical and structural.

Survival is focused on cash preservation and may range from discontinuing non-essential spend to selling assets. Examples include pausing all investment in the ‘nice to have’ bucket and reviewing all R&D initiatives. This approach is short-term, a stop gap effort that result in immediate savings to address immediate budget pressures but may have little or no on-going cost benefits and may also increase costs in the future. It can significantly impact business operations.

Tactical represents an opportunistic response to improve performance based on current capabilities and technologies. Examples include the automation of workflows e.g. provisioning/deprovisioning, cyber risk approvals and security issue management. This approach generates ongoing efficiencies, but the impact is typically limited to a smaller scale operation and is difficult to maintain as costs will leak back in or result in a higher fixed cost base, reducing flexibility. Another example is offshoring non-critical functions.

A structural approach typically focuses on the longer term, likely requires investment, and results in significant changes in cost structure. Examples include transforming service enablement e.g. self-service portals and chatbots, or the implementation of a ‘managed service’. This approach reduces the fixed cost base of new assets or, delivery models and automation that enable the IT organisation to scale its run costs to better align with the business and create financial flexibility.

However, there are real world hurdles to achieving the objective. Cyber security financial data is often incomplete or difficult to quantify, people can feel threated, particularly if they are under performing or perceive a loss of influence or power. And finally, a lack of governance and decision-making authority by those trying to implement the changes. These and other hurdles can be overcome resulting in real and meaningful cyber cost optimisations.

The most effective approach to cyber cost optimisation is based on a set of principles (or hypotheses) that are tested using a combination of available qualitative and quantitative data. From this, several relevant cost rationalisation opportunities will arise. A typical example of the type of insights that can be gained, can be seen from a recent review of one of our partner organisations which had 22 out of 43 security controls in place that provided 84 percent of the risk mitigation for the system, with the remaining 21 and least effect controls providing only 16 percent. The area for cost optimisation was evident, without losing effective controls.

It is not a one approach fits all but at its heart it is surprisingly simple, insuring the best cyber defence for an organisation without breaking the bank.


Add a comment