Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
September 19, 2022
Having spent most of my career in the “trenches” building and enhancing security programs, I’ve learned something over the last few decades about managing security programs during uncertain times. Many companies are bracing for a recession and that means less spending and more running the script of how to save money and where to cut. If you’ve been tasked accordingly, keep reading. I have a few ideas for you to consider.
In this article I’ll provide a primer for spending types, then discuss a method for reviewing staffing needs and efficiency of your team members. You probably aren’t new to this game, as most security professionals understand “ABC” (the sales concept of “Always Be Closing”). Who would’ve thought that a major part of our remit as security professionals would be selling our program and initiatives… constantly.
A close look at compliance and regulatory/industry requirements will help uncover some needed projects, however, some of you are likely struggling with PCI requirements that have been around since 2004. We sell and sell and push and push and yet we are forced to argue our PCI approaches with senior leaders regularly because things like segmentation will break the business or the bank. So my words of wisdom are likely based on knowledge and skills you already have and approaches you have already tried – but listen in, these tips are a little different.
In order to be good at program and roadmaps and business alignment, you have to understand how senior leaders are thinking. It may seem like smoke and mirrors, but it’s really a strategy to ensure your initiatives are funded (or at least to ensure funding is there). So, when you are trying to prioritize during times like this, think about how to get your roadmap items done without spending capital or CapEx. Be careful though – if you start throwing around terms like CapEx, you may end up with that coveted corner office (if offices were a ‘thing’ anymore)!
CapEx, or capital expense, is like cash. The old way of computing meant that a cost center was involved to manage physical assets in a data center, plus all the maintenance, care and feeding needed to keep that equipment up and running.
There are pros and cons to leveraging CapEx. The pros generally reside around tax benefits related to depreciation of physical assets over time because taxes are incurred to create a benefit in the future. Measuring depreciation over time means you may be stuck with an asset for up to 5 years to see the benefit. IT organizations that are mostly operating with on-prem equipment are spending between 70 and 80% of their budgets on KTLO (keep the lights on) activities, leaving IT with little room for keeping up with the times.
Maintenance for equipment gets fuzzy – consult your CFO or legal team for more advice on this. All this money management and lack of capital impacts your security team’s efforts because you must secure the old stuff that IT is forced to maintain. This leads to legacy systems and unsupported network infrastructure if not managed.
OpEx are funds to support everyday annual expenses, and traditionally, these funds were used to pay for consumables and supplies. This can be paid for with a line of credit. As I said, maintenance is a little fuzzy and may need more trained eyes to determine how to fund it, but short-term or quick-fix maintenance is generally how to think of OpEx. Another interesting turn of events is that cloud initiatives and managed services are considered OpEx in most instances. They’re a little like subscriptions, and therefore considered operational expenses.
A way to think about the funding strategies types is that CapEx is cash and OpEx is credit. Depending on your company and the way they handle money, cash is usually harder to come by. Credit, however, is readily available. For this reason, the cloud market and managed security services have supported a ton of innovation, cost savings and increased efficiencies.
It’s likely that the company you work for has a preference between the two, and if they’re betting on continued growth, you may have better luck enforcing your roadmap plans with OpEx spending (and understanding exactly what you need and the options for getting there). For example, we’re all forced to do more with less, but how severe are your staffing needs? With the talent deficit, it’s likely you’re struggling to find good people just like everyone else.
While we’re talking about money, it’s important to also think about another type of capital: human capital. If you’re already suffering with a lack of team members and controls that are neglected or continuously pushed aside, you may consider a security team organization and staff review. This assists with organizational budgeting and planning, helping you develop a cost savings strategy that improves efficiencies and reduces risk. Here are a few questions to get you thinking about it:
This is an opportunity to increase efficiencies and reduce cost. I’m not talking about team reduction, as we’ve already established that there’s a gap in what should be done and what is getting done. We need to apply a methodology to determine targets for outsourcing, better team training, what tasks are important and what’s ok to stop doing.
Managed services, like salaries, are considered OpEx. Financing can be more palatable if you can demonstrate how moving work to a third party benefits the organization. Managed services should be considered an extension of your team, but you need security team staff to monitor your managed services for operational and risk reduction benefits. This is a must-do for all your outsourced work.
A great example of an opportunity to reduce risk and increase efficiencies is third-party risk management as-a-Service (TPRMaaS). An estimated 67% of all companies say they have an effective vetting process for vendors, and most companies are looking at vendors once during their tenure with companies. This approach leaves a lot to be desired with 63% of breaches are occurring through a third party.
Baseline your current approach, partner with a strategic outsourcing partner and measure again once the new outsourced process has had time to mature. You’ll see the difference quickly and this provides you with excellent metrics to demonstrate improvements.
Here are some tips to keep handy:
Finally, remember that you are part of a team. When a business decision is made, and you don’t get what you asked for, keep measuring and keep working to gain champions in the business and allegiance in IT. This is the best spend of your human capital and will not depreciate!
Optiv Security: Secure greatness.™
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.