Maximizing Effectiveness: Justifying Cybersecurity Investments in a Stormy Economy

October 3, 2023

Economic uncertainty naturally comes with a need for more measured and prudent spending. Despite many companies battling high inflation and bracing for a possible recession, now’s the time to focus on security investments rather than hitting the pause button.

That’s because this isn’t like the last recession. The world has changed radically in the last 14 years through widespread technology adoption, increased interconnectedness and a growing attack surface. Sweeping digital transformation has created a new threat environment and fomented unprecedented levels of cybercrime, meaning that maintaining a healthy cybersecurity program is more critical than ever before. Ahead, we offer timely considerations and recommendations to help you not only justify the security technology you currently have in place, but maximize it as well.

Rationalize the Technology You Have

When the inevitable downturn looms, businesses tend to maintain and manage the technology they already have in place. But with the average organization juggling anywhere between 70 and 90 security tools at any given time, keeping track of them and how they’re deployed can be challenging. Unneeded, unused and underutilized technology can come at an inflated cost when it comes to:

Here’s where action is needed to ensure you have the right technology in place to support both your tactical requirements and overall security strategy. We call this approach, “technology rationalization.”

The rationalization process first accounts for all your business’s technologies and maps them against your security strategy and/or a cybersecurity framework, such as the NIST Cybersecurity Framework (CSF). This stage includes discovering and identifying existing technologies, how they are used, their current states and their efficacies in the environment.

Once discovery is complete, an analysis can build a matrix of security controls that aligns with the existing set of technologies and their operational state within the environment. This yields specific technology gaps against security controls, finds weak processes around tool use, identifies redundancies and spots missing integrations. It also lays the foundation for a roadmap that will inform opportunities to eliminate, expand or enhance specific security technologies and tools on a manageable timeline.

While overall security technology costs can sometimes increase as best-of-breed solutions are enhanced and expanded, technology rationalization often results in significantly lower costs as overlapping tools are eliminated, software licenses reduced and engineering and training costs cut. What’s more, security personnel can turn their focus onto more productive efforts with fewer tools to manage.

On Mergers and Acquisitions

Another pertinent consideration for many organizations is the real possibility of undergoing a merger and/or acquisition (M&A) at some point. As part of an M&A process, leaders must determine which company’s security tools should ultimately be used. Success in this area is largely dictated by discussions around not only technology but also previous contracts, expanding requirements and personnel — meaning that an enterprise’s “people” should remain a main part of the conversation as well.

Such discussions also surface important questions. For example, do the current and new teams’ members have the time and expertise to train, deploy and manage a new security tool set? Do existing security solutions truly address the full requirements (business, technical and process) of the new company? Will gaps now be discovered as the companies combine?

Answering these can be difficult, so it’s often beneficial to bring in a new set of eyes to critically examine the current state of the security tool stack and provide guidance for action. Here is a prime situation where a technology rationalization assessment can come into play.

Keeping Compliant

As security teams are undoubtedly aware, there are plenty of regulatory, audit and cyber insurance mandates that affect security technologies, which, regardless of the state of the broader economy, still need to be addressed without delay. The security landscape may be moving to the cloud, but compliance and regulatory demands aren’t going anywhere anytime soon.

Rationalizing existing technologies restores visibility to help clarify and simplify a company’s regulatory obligations. It can also help strike the right balance between reasonable vendor licensing costs, compliance with security policies and organizational mandates.

Final Thoughts

To be clear, accounting for your organization’s use of security technologies will not come without challenges. A solid security strategy is crucial to knowing which controls are most important and to identifying the appropriate technologies needed. There’s also a time and resource commitment to work through the discovery, analysis, control mapping and roadmap development processes.

All said, there are significant benefits to a rationalization effort. Most notably, better alignment of your technology to your organization’s security strategy and frameworks, and better communication between tools. After all, it’s not necessarily about how many tools you have, but how well they integrate to drive the outcomes you seek.

Given all these factors, we recommend using a strained economy as an opportunity to justify your security investments. Taking stock of your current technology is a great place to start, and if you’re looking for additional help, consider enlisting a trusted outside advisor. Regardless of how it’s accomplished, an optimized and integrated tool stack will go a long way toward reducing costs and shoring up your security program, especially through uncertain times.