How to Reduce Spend and Increase Resilience in Five Steps
The five steps below help guide you on how to get the best return on investing your organization’s limited resources in improving your cyber resilience.
| 1 | Be Proactive | Don’t wait to be asked to review your investment and expenditure on cyber resilience. Now is the time to challenge the accepted ways of doing things, think of how cyber resilience can be truly embedded in the organisation, and enable the organisation to move faster in a challenging global and economic environment. |
| 2 | Plan Outcomes | Think holistically and strategically and create a comprehensive investment plan for the next three years and always ensure you and your cyber strategy are aligned to the north star of your organisation. The NCSC has published a great guide on how to produce an investment plan. |
| 3 | Execute Boldy | Make sure that every transformation activity is clearly mapped to controls outcomes, aligned to your north star, and focussed on executing and delivering outcomes. No activities should be undertaken if the path to an outcome is not clearly defined and understood. Ask yourself how this activity will improve our resilience and enable our organisation. |
| 4 | Operating Inclusively | Now is the time to extend the cyber operating model to the entire organisation. Cybersecurity is done with the organisation and not to the organisation. If you are not already embedded with procurement, risk, information technology, and other operational areas, now is the time. Leverage service-based outcomes with intelligent sourcing strategies aligned to ecosystems with artificial intelligence embedded. The ideal is that you build and consume services where security is already embedded by default and by design. |
| 5 | Assure Clearly | Make sure that your assurance activity provides not only coverage over your controls landscape but is also aligned to a common set of controls as defined in your cyber strategy and controls framework. |
The final thing to remember is that any proactive activity in cyber resilience is always more effective than any reactive activity. Provided the proactive activity is targeted in the right area and the outcome effectively and efficiently achieved. Spending money on responding to and recovering from incidents will, in my opinion, never be as a good an investment as preventing or limiting the incident to begin with.
The Cyber Challenge
Being a cyber leader, you may have already faced pressure to cut costs or possibly even still stuck in the uphill battle of getting funding to begin with.
If not, your manager, whether it’s your CIO, CFO, CEO, or the Board, may soon ask you to do so. In fact, they may already be at your office door or sending you a message to ask for a catch up.
As any cyber leader, you have probably already thought your budget was too low to make the organisation resilient enough. So how can you reduce your spend even further without exposing your organisation, its people, your customers, and yourself to too much risk?
This is a common problem I hear from many people I talk to. It reflects the difficult times we are in. We have been saying at DEFEND, for a long time now, that we live in a VUCA world. That means a world full of volatility, uncertainty, complexity, and ambiguity. We all knew hard times were coming but many of us didn’t expect it to be this challenging.
It means we face more hostile threat actors, resource retention issues, and supply chain uncertainties. There are also more threats like insider risks from disengaged staff or losing key skillsets from downsizing. This is on top of a more competitive market regardless of the industry we are in.
The world we live in and the challenges ahead affect us in many ways, professionally, socially, and personally. But rather than try and address those wider concerns, let’s focus on what that means for cyber security and organisations’ focus and commitment in this critical area in the future.
The Short History of Cyber
Cybersecurity has struggled to establish its own identity in organisations separate from Finance, Risk, or Information Technology departments. In some organisations, this is still ongoing, but in most, even though cyber security stands on its own, the budgets, value and organisational benefit are still unclear. It is not surprising given that 15-20 years ago, the whole field was almost invisible at an executive level and has been competing against the classical pillars of an organisation that had been around for many years.
The additional challenge that cyber security now faces is to validate the limited investment, cut costs, and ensure that every dollar spent brings measurable value to the organisation. Is this a fair expectation in cyber security? Should cyber security save as much as other organisational areas? The short answer is yes. At DEFEND, we always say that every dollar spent on cyber security must link back to how it enables the organisation to be more cyber resilient and efficient.
Cybersecurity leaders have wanted to be part of the executive team and to be equal to other business areas. With that position it also means they must support the organisation’s viability and help save costs during tough times.
What are the next steps?
The real issue then is, how do I save money while avoiding any lasting damage or exposing the organisation to unacceptable risk. In a time when organisations are striving to stay viable it is not unreasonable to expect them to be willing to take on more risk, but they still need the cyber security leader to provide the context and understanding to be able to understand what that entails.
I would summarise this in a simple principle, which isn’t simple to put into practice but helps to guide decisions. This is the principle of “don’t drill holes below the waterline”. What that means is that you should assess every action in terms of the potential impact and if your decision creates a hole in your organisations boat that is below the waterline it will result in a leak that may not be possible to fix.
That is of course easier said than done but maybe the following five steps will help you to develop your cyber security cost saving plan and be proactive in responding and contributing to the challenges your organisation is facing.
STEP 1
Compartmentalise Your Spend
I have found over the years that all cyber security investments fall into four basic categories. I’m sure there are nuances or outliers and as cyber security professionals we will quickly find the exceptions. Since a great trainer told it to me many years ago, I have always loved the saying attributed to George E. P. Box, “all models are wrong, but some are useful.” It acknowledges that a model is not there to be 100% correct but provide us with a useful tool. Therefore, let’s go with this model that categorises all spend into the four areas of Plan, Transform, Operate and Assure.
Here is a quick summary:
| Plan | Anything that involves strategy, policies, standards, roadmaps, or other activities required to determine where to go and what to do. |
| Transform | This is anything that involves moving the organisation from its current state to an agreed target state and quite often involves programmes of work or discreet projects. This can be across the entire organisation and not just the cyber security team. |
| Operate | This is the ongoing operations to keep the deployed controls across the organisation working effectively. This covers not just the cyber security team but wider operational teams that may be supporting infrastructure or technologies required to provide resilience to the organisation. |
| Assure | This is audit, checking, assessment or other related activity intended to determine validate the effectiveness of the controls deployed across the organisation. |
Outcome
Capture all direct and indirect cyber security costs and assign to four categories – Plan, Transform, Operate & Assure.
STEP 2
Reducing Plan
To help understand where costs can be cut and get a better view of the waterline, it helps to establish some key principles. These are things we must ensure are maintained to support the ongoing viability of the organisation.
There will no doubt be some principles that are unique to your organisation, your regulatory requirements, your overall organisations objectives, as well as other considerations.
However, here are a few that should be considered for inclusion:
| Never Lose Sight of Your North Star | While it is possible to cut and decrease planning, strategy work, long term roadmaps, and other related activities, this must never be at expense of losing sight of the direction. A boat on the ocean without a compass to guide the way will quickly lose its way no matter what its speed is. Therefore, ensure that your north star is always clearly defined and is aligned to the strategic objectives of the organisation. If the organisation changes approach, be prepared to update your cyber security north star as well. |
| Know Your Threats | While endless days can be whiled away building and going through detailed risk analysis, registers, and copious amounts of testing, we should be able to cut straight through that and ask some basic questions. What is most important to us, what are we most dependent on for success, and what could impact us the most. Anybody that knows me, knows that my first step to solving almost any cyber security challenge is to start with a threat workshop. This ensures that you know what bad things could come in the way of supporting your organisation to stay focussed on the north star. To me a good threat workshop will leverage an understanding of the organisation to:
|
| Be Prepared | It may sound unnecessary but trust me it’s not. If you know where your organisation is going (the north star) and you have captured what could go wrong and impact you the most, you should ensure that you have the basics to deal with the likely incidents if they occur. Like any journey, be it organisational or through the jungle, it’s critical to ensure that you can always respond to and deal with the events that you are most concerned about and being prepared for them is a core principle. For a simple guide on how to set up your incident management and response plans, the NCSC has published a guide. |
| Safety First | Whatever cuts and reductions we make we should always ensure that we are maintaining the safety of our people and our customers. Make sure that’s always in your focus and part of your mission. |
By following the principles, you can streamline your cyber security strategy and make sure that everyone in your organisation knows what matters most for cyber security. Don’t be tempted to add many more principles as it then defeats the purpose of being focussed and this complexity flows through to all your subsequent steps. You should communicate this clear purpose through the key governance forums and regular cyber security reports. The NCSC has published a guide with more details on the governance of cyber security.
During uncertain times, it is crucial to have a clear link between operational, management, and executive levels to guide decision making. So, you should always keep up, or start, regular cyber security reporting to the board.
You should also use a clear dashboard that shows the progress, speed, and key success factors in an organisational context. The dashboard and reports should flow up from the operations to the executives, and the guidance and direction should flow down from the executives to the operations through effective governance.
Besides following the principles and supporting them with good governance and clear reporting, you can reduce the spending on Plan while the organisation faces the wider challenges in the next months and possibly even years.
Outcome
Go back to basics and be clear on your core principles. Use a threat workshop or other way to identify your assets and the possible threats to your organisation. Make sure there are effective governance forums the establish clear line of sight from board to operations and they are supported by meaningful reporting with dashboards.
STEP 3
Focussing Transformation
An organisation should always maintain a cyber security programme, no matter the budget and investment. Even if this is not leading to significant changes, it must ensure that the current state is preserved, and some improvement is continuously made. Doing nothing is a decision too, and arguably the worst one, when facing the upcoming challenges. We all know from our own experience of maintaining our homes and gardens that leaving things unmaintained will result in aging and entropy taking over. The same applies to cyber security controls; any control that is neglected will worsen over time and reduce in effectiveness and negatively impact the resilience of the organisation. Maintaining and improving controls should always be more cost effective than designing and deploying new ones.
Moreover, some of the most skilled and valuable cyber security resources may be hidden within the transformation space of an organisation. Therefore, stopping the programme, even for a short period, can lead to losing key resources and an even faster decay of controls. Operational teams may commit to do maintenance and continuous improvement with good intentions, but they will often struggle to do so because of their already busy workload and the constant pressure of reactive tasks.
Therefore, in difficult times, the action should not be to pause, but rather to follow the principle of “do more of less”. That means narrowing down the activities and deliverables and really focusing on the outcomes that will bring the most value. That does not necessarily mean going for easy wins, but rather what will provide the most return. Return in this case must be linked to the controls that are being preserved, enhanced, or introduced. I put them in that order, as that should be the order of priority. Before adding new controls, make sure that existing ones are maintained and fully utilised.
A key aspect to consider is whether this is the time to fully leverage the features of technologies that are already licensed, consolidate duplicate capabilities, and simplify overall complexity. At a practical level, this may mean collaborating with wider technology teams to help reduce the complexity of their endpoints, infrastructure, network, or cloud environments, as this will inevitably make them easier to secure with controls. It is also the time to consider whether the built-in security features of a given technology stack are sufficient to achieve an outcome, rather than adding more security technologies on top of them. In particular, the ongoing lifecycle cost in terms of people, process and technology needs to be considered for any services or capabilities. If introducing a new service will generate thousands more alerts and there is no headcount to expand an already overwhelmed operational team, then perhaps the money is better spent on tuning or using artificial intelligence to improve existing capabilities. Finally, it is worth noting that if your organisation has not already chosen an ecosystem over best of breed approach, then now is the time. Defence in depth is not buying multiple technologies and hoping you can support them. It is about establishing layers of controls that work together in harmony and alignment to detect, contain, eradicate, and recover from threats. Any technology ecosystem that achieves this across a range of controls is better than trying to maintain trained individuals and custom integrations.
In the end the fundamental principles of any cyber security transformation should apply:
| Organisational Alignment | How does this activity align to our north star and enable our organisation to be more resilient in a VUCA world? |
| Threat Context | What of my top threat scenarios is this investment helping with to reduce our overall risk? |
| Controls Mapping | Which controls is this investment maintaining, improving, or creating and remember the order is important. |
| Total Cost of Ownership (TCO) | What is the cost of not just this activity but the full cost that this brings into our organisation? |
| Efficiency & Effectiveness | How is this investment making us more efficient and effective as an organisation? If artificial intelligence hasn’t already been considered for this investment, then it probably should be, and clear use cases defined. |
Outcome
Any investment in transformation focusses on ensuring existing controls effectiveness is maintained, clear alignment with the north star is maintained and is committed to doing more of less rather than being stretched too wide.
STEP 4
Operational Efficiency
Operations is the core of most organisations; it is what keeps the wheels turning. It makes sense then that this is the area where any cuts need to be made very carefully. Unintended impact in operations can quickly lead to key controls becoming ineffective and potentially exposing the organisation to serious cyber risks. This applies not only to the cyber security team, but also to the whole organisation, as everyone is involved in cyber resilience. Especially in times of transformation, change and uncertainty, you may need to depend on your operational capability to safeguard the organisation’s assets and to keep things going.
Having said that, there are always opportunities to look for efficiencies and the four main areas are operating model, sourcing strategy, ecosystems, and artificial intelligence:
| Operating Model | We always say that effective cyber security is done with you and not to you. Therefore, maybe now is the ideal time to review how you could integrate the effective operations of your cyber security controls into the wider organisation. I think that most cyber security teams realistically only directly influence 30-40% of the controls that are needed to make an organisation truly cyber resilient. It follows then that any consideration for operational efficiency of cyber security controls should go beyond the cyber security team and consider the whole organisation. In fact, the more cyber security controls can be integrated within the normal organisational processes and practices the more likely they are to become part of day-to-day operations. It also allows existing teams and resources to be used better. If you haven’t done it already, creating an operating model that maps your cyber security controls to organisational functions or processes is a great way to start to look for efficiencies and embed cyber security into everything your organisation does. |
| Sourcing Strategy | Maybe this is just a fancy way of saying what services you deliver internally, and which leverage service providers. The output from the operating model should be a useful guide to use here to help identify some clear service capabilities for your sourcing strategy. There is however another aspect that really needs to be considered and that is around which services can be used securely as opposed to needing a security layer over the top. It is not unreasonable to expect a car to come with seatbelts, airbags, and an alarm. It should therefore not be unreasonable to expect that cloud, network, end user compute, and the many other online and cloud services come with security included. If not enabled by default the option is often there as an uplift. Again, this is a challenge that sits outside of the typical cyber security team and should be done in collaboration with the wider organisations teams to consider where services can be used that already meet the cyber security requirements of the organisation. Why pay for or be expected to add seatbelts, alarms, and airbags to an offering that should have these included by default. Now is the time to set the expectation that your organisation expects all services they use to be secure by default and by design. This allows an effective sourcing strategy to be built with a view to save costs across the organisation’s operational environment. One additional note around sourcing is tendering versus partnering in a VUCA world. In an environment where our own organisation expected to change and transform on an almost daily basis, we need to ask ourselves do we want to tender to many providers for services locked into fixed scope or do want to build trusted partnerships with providers that will come on a journey with us. Having worked on both sides of this equation for many years, I’m a firm believer in that trusted and transparent partnerships built on mutual support and understanding will always stand the test of time. They allow for organisations and their service providers to go on a journey together based on a shared goal and outcome. |
| Ecosystems | If the term best of breed is not already abandoned in your organisation’s technology and cyber teams then perhaps now if the last push to get it out the door. Best of breed sounded great 20 years ago when information technology budgets were plentiful and we had an abundance of technical resources to throw at learning, designing, developing, integrating, and maintaining complex interrelationships across technology stacks all purchased based on best of breed. Times have however well and truly changed and the speed of technological change, the rapid evolution of the threat landscape and the constantly shifting demands of our organisations means we cannot afford to maintain the skillsets let alone the complex integrations. Threats move laterally across our organisations, and we need our technology stacks to work together to detect them and prevent them from impacting us. Combined with struggling to maintain skilled experts and cost pressures, now is never a better time to focus on adopting core technology ecosystems across the organisation. In this regard less is yet again more and focussing on a single ecosystem can work very well. That doesn’t mean that there won’t be outliers and specialist technologies where the need requires it. Especially if zero trust is part of your overall organisational journey, then the ability to centrally manage policies across the six key areas is vitally important. By now it should come as no surprise, that again this is not something that the cyber team can do in isolation but requires collaboration with the wider organisation. Any ecosystem is usually part of wider technology services delivery and usually has significant end user impact. Therefore, working with the wider organisation to define personas, build use cases, establish principles, and leverage ecosystem investments is mandatory. |
| Artificial Intelligence | AI is essential in this age. It doesn’t matter if your AI can pass the Turing test or not. What matters is how you use AI to do things better and faster. Within the cyber security team, there are many ways that AI can help you handle incidents and improve your services. Across the wider organisation, there are even more ways that AI can give you an edge in a competitive market. You should have already addressed the security risks and data exposure from AI and be focussing on how to use more capability to add more value. You need to see if AI can help you automate without defining and standardising first and move directly to creating value. If AI is not part of your transformation to improve operations and efficiency, then you need to change that. |
Outcome
Operations keeps our organisation moving forward and we should not risk losing that. We can create an integrated operating model that links cyber security and the organisation, uses a collaborative and hopefully partnering sourcing strategy that leverages organisation wide ecosystems with artificial intelligence to boost efficiency and effectiveness.
STEP 5
Aligning Assurance
Assurance should be a clear guide for allocating the organisation’s limited resources to the right areas. It should not distract the organisation from its north star or repeat information that is already known in another way. In some cases, poor assurance can be more harmful than helpful. I have seen organisations lose track of their well-designed strategies and roadmaps because of misguided findings from audits and assessments. Therefore, if you don’t have an assurance framework in place yet, now is the time to create one. It may sound like extra work, but if done well, it can help reduce and focus assurance activities. More importantly, it can help achieve the objective of bringing together multiple lines of defence to ensure a clear understanding of the design and operating effectiveness of controls and how they impact the risk position and overall cyber security resilience of the organisation.
This may seem like a high standard, but it can be done quite simply in practice. Assurance is usually achieved through a mix of validation activities or lines of defence. These include self-assessment, internal assessment, external assessment, and ideally whenever possible automated assessment. The NCSC provides a good overview of this in step six of the Charting Your Course publication. However, before the lines of defence can be considered, it is vital to make sure that the assurance framework is aligned with your organisation’s main goal. In practice, this means that any assurance activity must be aligned with a common definition of what good looks like across the organisation as defined in your control’s framework. There is no point in having disconnected assurance activities across different parts of the organisation that show a different view of resilience or risk because they are based on different control sets or ratings of effectiveness or maturity. The definition of what good looks like should be based on a consistently adopted controls framework, such as ISO27001, NIST CSF, CIS18, Essential 8, NZISM or any others. If I were to be bold, I would say that the actual controls framework chosen is less important than the fact that it is consistently agreed and implemented across the organisation.
With the definition of good agreed, it is easier to consider all the assurance activities in place and align them so that they cover the best range of determining controls design and operation effectiveness across the organisation. Coverage is important, but if trade-offs in coverage need to be made, having a good understanding of the threats and your organisations assets can help achieve better focus. A useful, but potentially difficult metric to measure, is to track the last time that a specific control or group of controls were validated. You might be surprised how many years can pass without someone checking if a control is still effective. How often would you check to see if your back door is locked?
The most important outcome is that the results of any assurance activity are fed back into the planning stage to guide future investment, are used to focus transformation activities, and are applied by operational teams to drive continuous improvement. Assurance without action is a waste of already scarce resources.
So hopefully the above guide has been useful for you (and thanks for staying with me to the end!), I’d love to hear your thoughts on the above if you have any questions feel free to drop me a note.
Wenzel Huettner
CEO, DEFEND
Download the Insight
Fill out the form below to read the Insight
"*" indicates required fields
