Five ways CISOs can optimise their business outcomes

As inflation battles it out with the threat of a recession and the financial markets continue to experience turbulence, many enterprises are finding steady growth to be a challenge. Despite the unpredictability, there is one sector that isn’t beholden to the markets and remains unaffected by either inflation or recession: cyber crime.

Cyber crime flourished during the remote work boom of the pandemic, hitting record highs in damages – and there are no signs of it slowing down. 

Businesses face a unique new challenge to fend off these two crises at once; managing challenging economic conditions while maintaining investments in the infrastructure essential to defend against cyber-attacks. 

Balancing agile risk strategies with cost optimisation 

Cyber risk is increasing at a time when budgets are being stretched. At the beginning of 2022, 70% of CISOs expected higher budgets compared to the prior year. However, as businesses face more financial pressure, CISOs are increasingly seeing budgets for security spending being delayed. This creates a new challenge for CISOs looking to secure the investment for the security projects they need. 

The solution lies in agile operating models. Enterprises that have these models are more able to effectively allocate available resources to fund investments in security. This alignment requires the enterprise to identify its most critical assets and prioritise its highest-risk areas. On top of this, enterprise CISOs looking to modernise cybersecurity operations need to think strategically, by focusing on multi-year cost optimisation rather than pure cost reduction. Similarly, cyber finance leaders are driving the shift from on-premises to cloud, and from capital expenditure (CapEx) to operating expenditure (OpEx).

With this in mind, here are the five key actions that can make it easier for CISOs to secure funding, manage budgets and optimise business outcomes. 

1. Communicate risk tolerance to the board

Executive leaders, who are increasingly expected to speak the language of the board and the business in addition to being fluent in cybersecurity, must build resilience through pragmatic security investments in support of organisational growth objectives.

When facing budget cuts – whether they come from the board, the CFO, the CEO or elsewhere – the CISO first has to focus on the organisation's risk tolerance. If the CISO thinks the requested cuts will materially increase that risk tolerance, there’s a fiduciary obligation to report that finding to the board. The board must either formally accept the higher risk tolerance – something shareholders are unlikely to appreciate – or discuss with the CISO the level of cuts that can be made without increasing the cybersecurity risk. One solution is to rely on cost-efficient managed service providers. Another is to automate tasks wherever possible.

2. Discover best-of-suite technology solutions you may already own 

When a software provider expands their capability set, either through a series of acquisitions or in-house development, it can offer its customers advanced features across a wider spectrum. Considering that most organisations have a long list of security products required to protect the enterprise, employing a best-of-suite approach reduces the operational complexity while maintaining exceptional execution. Meanwhile, a new tool or capability is being implemented so the target security stack is always evolving.

The CISO’s team should perform ongoing analyses of the enterprise landscape in terms of licenses, applications and tools and include a market view on where expansion and consolidation is possible. Are there overlaps or redundancies that can be solved, thereby finding OpEx and CapEx savings without losing functionality?

Switching from best-in-class to a best-of-suite that offers a variety of tools may save money in the long run (the immediate cost to switch technology needs to be factored into the discussion) and also help with operational execution and reporting because log data would be consolidated.

3. Automate to scale and mature processes 

This is arguably the best way to get the most bang for your security buck. Automation can relieve cybersecurity teams of the necessary but repetitive tasks that take up much of their time. It can also help companies more easily scale their security efforts and, with the help of machine learning, it can even design response plans for things like ransomware attacks. The promise of automation in security has become real, and organisations adopting these processes and associated technology are seeing significant cost savings.

4. Enlist a managed services provider

Third-party managed services can provide efficient risk management at scale. Using security specialists can be less costly than relying on internal employees who may require extensive training to get them up to speed. Because security is all these managed services providers do, they are well-equipped to get a cybersecurity defence plan where it needs to be without over investing.  In certain cases, internal employees can be shifted to other activities while the outsourcer executes control processes better, faster, cheaper – allowing you to do more with less.

5. Develop a flexible workforce

Budget cutbacks invariably include a strong suggestion to reduce the workforce. But layoffs may be avoidable. If the cybersecurity team consists of a nimble, cross-trained group with a wide range of talents and experience and multiple certifications, money could be saved by reprioritising and refocusing employee assignments to support the new company direction.

The task of balancing the key aspects of cost, value and risk is crucial to securing ongoing or additional funding. CIOs and CISOs must evolve financial management practices to meet this new normal. The goal is to create a better return on investment from a risk reduction standpoint and an ability to drive customer trust and potentially enter new markets.

As digital initiatives produce opportunities for new revenue streams and expanding business operations, an agile cybersecurity strategy combined with cost optimisation innovations offer the best way to create value in today’s evolving landscape and mitigate potential damage from cyber crime. 

Tony Buffomante is Global Head of Cybersecurity & Risk Services at Wipro