When the cybersecurity budget is no longer sufficient for projects and operations, processes must be improved. It is possible to reduce costs without increasing risks. Are you wasting part of your budget?
For the majority of organizations, information security is a priority. As operations are highly dependent on technology, any interruption has major impacts on operations. But with the economic uncertainty of 2023 and 2024, budgets are not keeping up with rising supplier and solution costs. This is an opportunity to take a step back and optimize your operations and projects, to do more with less.
Process improvement in cybersecurity relies on the technology, process and team triad. I explain how to identify the gains you can make in each area.
Review the use of technologies
Software and solutions, whether deployed on your servers or in the Cloud, represent 25 to 30% of the cybersecurity budget. The simplest and least risky budget reduction is to review your tools.
Go through your invoices! What do you pay? Solutions often offer several tiers, are you using all the features of the Gold or Platinum tier you chose at the time? With the list of products you are paying for, you can move on to a more detailed analysis.
Hardware or software installed but included features not activated
I encounter this case in small organizations, which lack skills or which delegate management and installation to an external service provider. The person does the basic configuration, the tool works, but it could provide much more. The case that I have most often encountered is that of the UTM (Unified Threat Management) or NG (Next Generation) type firewall. The inspection of encrypted traffic (TLS) or flows is not activated, you lose part of the capabilities of your firewall, which could do much more.
Solutions:
- Ask questions to your suppliers or IT service providers,
- Check the qualifications of the people who care for your hardware and software,
- Read the documentation for the tools you have.
Hardware or software properly activated and configured, but not used
The organization does not get the value from it, due to lack of time. Consider the case of most EDR or XDR (Endpoint Detection and Response or eXtended endpoint Detection and Response) solutions. These solutions replace antiviruses. Installed on workstations, they protect them by detecting possible malware. Today, they include vulnerability management modules on workstations and scan them for flaws. If you don’t have the time to read the report and take actions to correct the vulnerabilities, you are paying for features that you are not using.
I also encounter the case of organizations which have delegated security management and alert analysis to a service provider. These are managed SOCs (Security Operation Center). This is a great way to ensure you follow up on and act on alerts. But the managed SOC does not manage everything: you receive a dashboard with a report every month. You may have actions to take, as they are not included in your service contract.
Solutions:
- List the reports you receive
- Check that you are taking the recommended actions
- Allow time to read and take corrective actions.
Redundant or unnecessary hardware or software
In my first point, you had solutions with undeployed features. In this third part, the risk is to buy solutions for your needs, when you are already paying for them! Thus the Microsoft E3 or E5 license, chosen by many organizations because it is very complete, contains many tools, in particular Microsoft Endpoint Detection (an EDR) and InTune (an MDM – Mobile Device Management). If you lack knowledge about this platform (or the tools you have deployed) you could pay twice for the same service.
There is also the issue of free versus paid solutions. Some people think that since it’s free, it’s not secure, this is not always the case, it’s all a question of configuration. Let’s take the example of password managers. Available for free in your browsers, you must configure them correctly (with a password before automatically filling in your identifiers on the sites). Whether the solution is paid or free, it is the configuration that ensures its level of security. You know it well: the strongest armored door will open in a few seconds if the key is under the doormat.
Save money with Open Source solutions
Overall, free Open Source solutions do not necessarily save money. Indeed, they require people to install and operate them who have more technical skills. In small structures, staff are often more versatile and have a good sense of belonging. If you have a motivated and interested person, you could invest in their training rather than expensive solutions. You could even hire a person, who could take charge of operating Open Source tool, the cost of training and hiring will be covered by the savings on licenses. Do your calculations!
Keep in mind that OpenSource solutions are less common. If your specialist leaves the organization, she leaves with her knowledge. It’s easier to recruit people who have knowledge of business solutions. And these solutions are easier to take control of as well. Documenting critical processes is essential to capitalizing on your team’s time and training.
Improve processes
We have just seen that you probably lack the time to properly use your tools. Indeed, cybersecurity is a vast field. This function has numerous processes, both internal and transversal. It’s always easier to improve internal processes, since they only concern your team. However, cross-functional processes are those where there are the most gains to be made.
To get the most results, look at the processes that take you the most time. What does your team do with their days? What activities come up most often or take the longest?
If you don’t know, you can ask your team to track their time for a week. A paper timesheet or a sticky note of the number of actions taken by category, a simple Excel file or an online time tracking tool will tell you how your team spends its time.
Then all you have to do is analyze the steps in the process and identify how to do things better.
You can also perform an analysis in the shared mailboxes where the requests arrive. Are you receiving multiple messages for the same request? In this case, you can improve user information, review the process of prioritizing requests or organizing work and the team.
Are there any requests to redo or correct completed actions? If this is your case, you will need to analyze why there was an error. The request was incomplete or incorrect, why? By digging , you will reduce your error rate and save time by getting it right the first time!
Leverage your team’s strengths
Finally, you will take the pulse of your team. Is she motivated, is she used to the best of her skills? How could you divide tasks differently? What would you do if someone had to be absent for a long period of time? Have you documented your critical processes?
You can have the best processes and tools on the market, but if your team doesn’t know how to use them, then they’re useless. I always recommend investing in people first. On average, salaries represent 35 to 50% of your budget, and their training 4 to 5%
To improve, the main thing is to start . You don’t need to have all the numbers to improve, but it will be helpful to measure your progress and make sure you’re doing the right things.