As businesses battle the severe economic downturn due to the COVID-19 crisis, there is an expectation that CxOs will focus on prudent cost management. CISOs have already started thinking on these lines and identified discretionary spend that can be rationalized. They are currently balancing between reducing costs and positioning for recovery and future growth.

How CISOs can drive cost optimization in the new normal

CISOs can look at a range or methods to release funds for current and future needs (See Figure 1). By applying a combination of measures, one can unblock the potential use cases needing attention:

1)     Business ‘line of sight’: Realign to the shift in business priorities by capturing revised Business & IT directives into a capability map. Undertake a broad-based view of cybersecurity capabilities and the present and planned cost models.

• Realign these to arrive upon the revised view of ‘cybersecurity capability map’ that need prioritization and focus.
• Identify projects that need to be canceled or deferred and release them for business-aligned initiatives.

Figure 1: Strategies for cost optimization

2)     Drive simplification: The present situation provides the best opportunity to organize simplification drives across business.

• The business ‘line of sight’ method will yield a business perspective. This perspective could be leveraged as a guiding post on what functionalities needs prioritization. However, the bulk of simplification ideas and measures will develop from a bottoms-up review of how cybersecurity services are developed and delivered to business. It is critical to challenge the typical barrier that allow for duplicity of controls and layered but ineffective control designs.
• The output of this measure will allow most CxOs to have meaningful negotiations with technology vendors and service providers.

3)     Improve productivity: The CISO organization, while being largely understaffed, has multiple activities and responsibilities that could be optimized through process streamlining and re-organizing working methods. Assurance, Operations, Service-Delivery are domains that can be prioritized.

4)     Exercise flexibility with partners: While current service contracts are multi-year or due for renewals, CISOs can tap into the flexibility built into these constructs and adapt to change in demands. Close to 20% reduction in costs can be exercised by exploring options that can allow operations at planned volumes. Reducing service levels, decommissioning low usage systems, limiting capacity of some environments, and right-sourcing using a global delivery model can be explored with partners.

5)     Hyper-accelerate cloud journeys: CISO functions, while being the enabler for IT cloud initiatives, could use some of the cloud-specific cost attributes themselves. A quick assessment of current service characteristics from a ‘cloud-readiness attribute’ should deliver a view of controls and services that can leverage cloud-specific consumption models. Re-platforming and retooling may not deliver immediate cost benefits, but it is a step in the right direction.

Focus should be towards a detailed execution plan and a clear view of the savings that is to be unlocked (See Figure 2). The execution team should also be empowered with quick decision-making and resources.

Figure 2: A plan to unlock savings

Investing for a cyber-resilient future

CISOs also have an interesting opportunity at hand. While it must contribute to overall cost savings, it must establish Cyber-Resilience as an important context for business/board support.

The savings, if invested into cyber resilience initiatives, will prepare the enterprise for the new normal. The newer business imperatives and need to drive revenues, in most industries, is a shift to Digital and the channels it offers.

CISOs’ priorities for investments are:

• Secure remote working: Maintaining or enhancing the security posture through enhanced and hardened end-point controls. Also, prioritizing efforts towards supporting the targeted COVID-related phishing campaigns.
• Automation: Drive the next orbit of automation based on workflow automation, robotic process automation and machine learning.
• Architecture models: Zero trust and adaptive architecture lends well to the present needs of system design. Driving agility in security designs and flexibility for divergent models could assist future-ready environments.
• Supporting digital: More than ever, CISO’s need to operate closely with CIOs and business leaders in driving resilience in digital channel and accelerate delivery through Cloud, DevSecOps and agile operating models for compliance.

Balancing cost reduction while re-organizing investments for business priorities is the new normal for CISO offices while taking their functions to the next normal.

Rajesh Pillai

Sr. Partner – Consulting & Advisory, Wipro

Rajesh represents Consulting & Advisory at Wipro and works from the London office. He has over 2 decades of experience in Risk Management & Cybersecurity advisory, and has worked with clients across multiple continents.

Email: pillai.rajesh@wipro.com or cybersecurity.services@wipro.com