In the latest of my “no bullshit” cyber blogs, I’ll explain how to save budget across people, process and technology. My name is Nick Harris, and I’m the CISO in Residence at Assured
In some of my previous blogs I’ve looked at the role of vendors and VAR and how to take a more pragmatic approach to risk management. But maybe there’s a bigger problem than this. I get that vendors have revenue targets to hit and VCs to keep happy, but have we lost sight that cyber is still about helping?
It seems that cyber is increasingly seen as a way to squeeze cash by selling products that aren’t needed, adding as much mark-up as possible. As a community, we should be here to help, as altruistically as a medical undergraduate embarking on their journey to become a doctor. Have we lost sight of this, and are we now sustaining bloated security budgets? Maybe the grab for cash is the reason boards are now rethinking things. Just how much is enough investment, and do we need a CISO for more than two days a week?
“Keep your team lean by having people that raise the bar, rather than require others to pick up the slack.” Nick Harris
Over the years, I have managed to run with small budgets and cut costs after inheriting larger budgets.
Here are some tips for waste-conscious companies:
- Too much tech: CISOs must always consider the opportunities to consolidate overlapping tooling. Clearly, there are risks involved in taking tooling away, so run A-B testing if you’re not sure. Prime areas to look at are overlapping email controls and training platforms bought separately by security and HR.
- The right vendors: Efficacy is important when consolidating tooling. But I’d also suggest that vendors who turn every monthly CRM call into a sales pitch and insist on every issue and RFI going via some helpdesk portal can be the first to go. CISOs should also be ruthless in driving excellence from their supply chain – the more vendors pitch in, the less effort for the security team. Even if this is a small difference, it all adds up.
- All the eggs in one basket: Investing in one vendor that does everything, may feel like a smart move, but isn’t necessarily cost effective. This particularly goes for vendors that dominate the magic quadrant, for which there is a premium the customer pays. Consider the pricing of Crowdstrike Falcon or Microsoft E5 as your EDR. Now consider alternative MDR providers (with a good reputation) which can glean all the logs they need with their own agent and/or a cheaper alternative such as Business Premium Defender. Even adding missing elements back in such as P2, you’ll be surprised what can be saved.
- Stay long enough and be ready to move: Don’t lock yourself into three-year deals. I know they’re designed to be attractive, but three years is a long time to wait if you’re not happy with a product. Also, understand how to remove a product. If a service isn’t good or the product has issues, your fail-fast strategy should be supported by processes that allow you to get out fast. At the very least, this should be at 12 months, although a monthly subscription or a contract with criteria and break clauses is even better.
- Scale as you go: Vendors will want you to buy for your expected upper limit of licensing, but we all know that deployment is a gradual process. Often, it is cheaper to buy 20% of the licenses you need, at a premium, and add on 10% each month as you need it. Over the 12-month timeframe, you’ll save a lot. You may even find that, at 12 months, you didn’t need everything you thought anyway.
- Negotiate hard: Vendors know it’s much more expensive to find a new customer than it is to retain one. Use this to your advantage to drive the cost down. If you have a VAR, they should be representing you in this fight to squeeze down costs. A good lever to use is unused features. There may be aspects of the platform that can’t be turned off, but if you aren’t using them, you shouldn’t be paying for them.
- The whole cost: Consider the effort required to maintain a tool in BAU. Because capability = tech + process + people, solutions that requires many hours of the team’s time (e.g. to resolve false positives) are likely to be more expensive than those which cost less per license. Not only do costs mount, but the team inevitable gets demoralised, and you’ll also have the cost of recruitment to deal with. Hopefully you understand this during a POV but, even if this isn’t initially clear, pushing the vendor to deliver value and having a rapid exit strategy is worth it.
- Tuning: False positives, defects or benign alerts must be tuned or automated out. It’s too easy to focus on a new incident than completely close off an old one. The IR playbook must bake-in alert tuning and, as a CISO, you can check how well your SecOps team is running these to ground. Measure false positives regularly and you should see these drop, keeping the workload down, the team small and everyone happier.
- High-performing teams: I have been part of teams where we’ve hired someone we think is just OK, or held onto people while they get up to speed. There is always a place for training up staff. But where the energy and desire aren’t there, it’s time they go and quickly. Keep your team lean by having people that raise the bar, rather than require others to pick up the slack and drag people down. It’s kinder on the team and on the individual in the long run. There are more management books to fill a library on this topic but it remains important. Get the team right to keep costs down. For tips on having a large security team you don’t need to pay for, see this blog.
- Get your messaging right: Where you are saving budget across people and tech, and across OpEx and CapEx, make sure your company is aware of the role you are playing in running a sustainable team, while still reducing risk. You might have created a budget surplus you can hand back, which will definitely earn you brownie points. Or you can negotiate on using it to reinvest in your team – whether this is for risk-mitigating investments, or skilling/rewarding the team beyond what your expenses/training budget was originally scaled for.
Good luck, and let’s cut the waste so we can prove that cyber is actually here to help.
This article is part of our ‘No bullshit cyber blog’ series, written by Assured CISO in residence, Nick Harris. “These blogs are designed to offer useful tips for implementing cybersecurity practice. The series focuses on making a difference in a language the business understands,” explains Harris. “All points are drawn from my personal experiences delivering cybersecurity transformation programmes and consider best practices from other industries. While I’ve had great success with these methods, you may have a better way. Apply what works for you, and let me know your suggestions.”