Maximizing Effectiveness: Justifying Cybersecurity Investments in a Stormy Economy

October 3, 2023

Economic uncertainty naturally comes with a need for more measured and prudent spending. Despite many companies battling high inflation and bracing for a possible recession, now’s the time to focus on security investments rather than hitting the pause button.


That’s because this isn’t like the last recession. The world has changed radically in the last 14 years through widespread technology adoption, increased interconnectedness and a growing attack surface. Sweeping digital transformation has created a new threat environment and fomented unprecedented levels of cybercrime, meaning that maintaining a healthy cybersecurity program is more critical than ever before. Ahead, we offer timely considerations and recommendations to help you not only justify the security technology you currently have in place, but maximize it as well.



Rationalize the Technology You Have

When the inevitable downturn looms, businesses tend to maintain and manage the technology they already have in place. But with the average organization juggling anywhere between 70 and 90 security tools at any given time, keeping track of them and how they’re deployed can be challenging. Unneeded, unused and underutilized technology can come at an inflated cost when it comes to:


  • Inefficient allocation of security personnel time
  • Licensing fees
  • Delayed or impeded expansion, enhancement and integration of existing tools
  • Replacing current tools with best-of-breed solutions


Here’s where action is needed to ensure you have the right technology in place to support both your tactical requirements and overall security strategy. We call this approach, “technology rationalization.”


The rationalization process first accounts for all your business’s technologies and maps them against your security strategy and/or a cybersecurity framework, such as the NIST Cybersecurity Framework (CSF). This stage includes discovering and identifying existing technologies, how they are used, their current states and their efficacies in the environment.


Once discovery is complete, an analysis can build a matrix of security controls that aligns with the existing set of technologies and their operational state within the environment. This yields specific technology gaps against security controls, finds weak processes around tool use, identifies redundancies and spots missing integrations. It also lays the foundation for a roadmap that will inform opportunities to eliminate, expand or enhance specific security technologies and tools on a manageable timeline.


While overall security technology costs can sometimes increase as best-of-breed solutions are enhanced and expanded, technology rationalization often results in significantly lower costs as overlapping tools are eliminated, software licenses reduced and engineering and training costs cut. What’s more, security personnel can turn their focus onto more productive efforts with fewer tools to manage.



On Mergers and Acquisitions

Another pertinent consideration for many organizations is the real possibility of undergoing a merger and/or acquisition (M&A) at some point. As part of an M&A process, leaders must determine which company’s security tools should ultimately be used. Success in this area is largely dictated by discussions around not only technology but also previous contracts, expanding requirements and personnel — meaning that an enterprise’s “people” should remain a main part of the conversation as well.


Such discussions also surface important questions. For example, do the current and new teams’ members have the time and expertise to train, deploy and manage a new security tool set? Do existing security solutions truly address the full requirements (business, technical and process) of the new company? Will gaps now be discovered as the companies combine?


Answering these can be difficult, so it’s often beneficial to bring in a new set of eyes to critically examine the current state of the security tool stack and provide guidance for action. Here is a prime situation where a technology rationalization assessment can come into play.



Keeping Compliant

As security teams are undoubtedly aware, there are plenty of regulatory, audit and cyber insurance mandates that affect security technologies, which, regardless of the state of the broader economy, still need to be addressed without delay. The security landscape may be moving to the cloud, but compliance and regulatory demands aren’t going anywhere anytime soon.


Rationalizing existing technologies restores visibility to help clarify and simplify a company’s regulatory obligations. It can also help strike the right balance between reasonable vendor licensing costs, compliance with security policies and organizational mandates.



Final Thoughts

To be clear, accounting for your organization’s use of security technologies will not come without challenges. A solid security strategy is crucial to knowing which controls are most important and to identifying the appropriate technologies needed. There’s also a time and resource commitment to work through the discovery, analysis, control mapping and roadmap development processes.


All said, there are significant benefits to a rationalization effort. Most notably, better alignment of your technology to your organization’s security strategy and frameworks, and better communication between tools. After all, it’s not necessarily about how many tools you have, but how well they integrate to drive the outcomes you seek.


Given all these factors, we recommend using a strained economy as an opportunity to justify your security investments. Taking stock of your current technology is a great place to start, and if you’re looking for additional help, consider enlisting a trusted outside advisor. Regardless of how it’s accomplished, an optimized and integrated tool stack will go a long way toward reducing costs and shoring up your security program, especially through uncertain times.

Keith Watson
Keith Watson is a director for Threat Management services at Optiv. He leads a team of professionals focused on finding the right solutions for clients through social engineering, application threat modeling, embedding security in SDLC, incident management program development, incident response services, vulnerability management program development, remediation services and penetration testing of infrastructure, applications and facilities.

Keith’s fascination with information security started while in college in 1995 and has continued through his various security roles, from security tool developer, consultant, product manager, research engineer, course author and enterprise security architect.
Joe Burch
Engineering Fellow, Identity and Access Management | CyberArk
Joe Burch is an Engineering Fellow in Optiv’s IAM practice on the PAM CyberArk team. Joe’s role is to provide pre/post-sales support and consulting to Optiv’s clients with expertise in CyberArk solutions as well as providing support and mentoring to other Optiv team members.

Joe has over 20 years of experience ranging from small businesses to Fortune 50 corporations in a multitude of industries. He is a subject matter expert in the design and implementation of CyberArk solutions, and is experienced in several other areas of server security. Areas of expertise includes server based technologies, SSO, CyberArk, Risk and Controls and RSA. Prior to joining Optiv, Mr. Burch was principal SME on CyberArk and RSA for a Fortune 50 company.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit