Considerations for Uncertain Economic Times: Spending Strategies and Staff Review

September 19, 2022

Having spent most of my career in the “trenches” building and enhancing security programs, I’ve learned something over the last few decades about managing security programs during uncertain times. Many companies are bracing for a recession and that means less spending and more running the script of how to save money and where to cut. If you’ve been tasked accordingly, keep reading. I have a few ideas for you to consider.

 

In this article I’ll provide a primer for spending types, then discuss a method for reviewing staffing needs and efficiency of your team members. You probably aren’t new to this game, as most security professionals understand “ABC” (the sales concept of “Always Be Closing”). Who would’ve thought that a major part of our remit as security professionals would be selling our program and initiatives… constantly.

 

A close look at compliance and regulatory/industry requirements will help uncover some needed projects, however, some of you are likely struggling with PCI requirements that have been around since 2004. We sell and sell and push and push and yet we are forced to argue our PCI approaches with senior leaders regularly because things like segmentation will break the business or the bank. So my words of wisdom are likely based on knowledge and skills you already have and approaches you have already tried – but listen in, these tips are a little different.

 

 

A Quick Primer on CapEx vs. OpEx

In order to be good at program and roadmaps and business alignment, you have to understand how senior leaders are thinking. It may seem like smoke and mirrors, but it’s really a strategy to ensure your initiatives are funded (or at least to ensure funding is there). So, when you are trying to prioritize during times like this, think about how to get your roadmap items done without spending capital or CapEx. Be careful though – if you start throwing around terms like CapEx, you may end up with that coveted corner office (if offices were a ‘thing’ anymore)!

 

CapEx, or capital expense, is like cash. The old way of computing meant that a cost center was involved to manage physical assets in a data center, plus all the maintenance, care and feeding needed to keep that equipment up and running.

 

There are pros and cons to leveraging CapEx. The pros generally reside around tax benefits related to depreciation of physical assets over time because taxes are incurred to create a benefit in the future. Measuring depreciation over time means you may be stuck with an asset for up to 5 years to see the benefit. IT organizations that are mostly operating with on-prem equipment are spending between 70 and 80% of their budgets on KTLO (keep the lights on) activities, leaving IT with little room for keeping up with the times.

 

Maintenance for equipment gets fuzzy – consult your CFO or legal team for more advice on this. All this money management and lack of capital impacts your security team’s efforts because you must secure the old stuff that IT is forced to maintain. This leads to legacy systems and unsupported network infrastructure if not managed.

 

OpEx are funds to support everyday annual expenses, and traditionally, these funds were used to pay for consumables and supplies. This can be paid for with a line of credit. As I said, maintenance is a little fuzzy and may need more trained eyes to determine how to fund it, but short-term or quick-fix maintenance is generally how to think of OpEx. Another interesting turn of events is that cloud initiatives and managed services are considered OpEx in most instances. They’re a little like subscriptions, and therefore considered operational expenses.

 

 

What Does All This Mean?

A way to think about the funding strategies types is that CapEx is cash and OpEx is credit. Depending on your company and the way they handle money, cash is usually harder to come by. Credit, however, is readily available. For this reason, the cloud market and managed security services have supported a ton of innovation, cost savings and increased efficiencies.

 

It’s likely that the company you work for has a preference between the two, and if they’re betting on continued growth, you may have better luck enforcing your roadmap plans with OpEx spending (and understanding exactly what you need and the options for getting there). For example, we’re all forced to do more with less, but how severe are your staffing needs? With the talent deficit, it’s likely you’re struggling to find good people just like everyone else.

 

 

Organizational and Security Team Staff Review

While we’re talking about money, it’s important to also think about another type of capital: human capital. If you’re already suffering with a lack of team members and controls that are neglected or continuously pushed aside, you may consider a security team organization and staff review. This assists with organizational budgeting and planning, helping you develop a cost savings strategy that improves efficiencies and reduces risk. Here are a few questions to get you thinking about it:

 

  1. Are team members working on the right things? Do they have the skills and motivation to accomplish the assigned tasks?
  2. What are people spending their time on? Are they the right things? Are they spending too much time on assignments/tasks?
  3. Are staff taking work with them on weekends and on holiday? Are staff working during life events?
  4. What are the organization’s core competencies – what do you want the team to be great at and what makes sense to pay a strategic outsourcing partner to do?
  5. What security tasks have highest strategic importance and highest contribution to organizational performance?
  6. Do you understand what tasks have the highest and lowest chance for ability/likelihood to execute?
  7. What are the risk levels of capabilities due to limited staff?
  8. What are the performance levels of security capabilities?

 

This is an opportunity to increase efficiencies and reduce cost. I’m not talking about team reduction, as we’ve already established that there’s a gap in what should be done and what is getting done. We need to apply a methodology to determine targets for outsourcing, better team training, what tasks are important and what’s ok to stop doing.

 

Managed services, like salaries, are considered OpEx. Financing can be more palatable if you can demonstrate how moving work to a third party benefits the organization. Managed services should be considered an extension of your team, but you need security team staff to monitor your managed services for operational and risk reduction benefits. This is a must-do for all your outsourced work.

 

A great example of an opportunity to reduce risk and increase efficiencies is third-party risk management as-a-Service (TPRMaaS). An estimated 67% of all companies say they have an effective vetting process for vendors, and most companies are looking at vendors once during their tenure with companies. This approach leaves a lot to be desired with 63% of breaches are occurring through a third party.

 

Baseline your current approach, partner with a strategic outsourcing partner and measure again once the new outsourced process has had time to mature. You’ll see the difference quickly and this provides you with excellent metrics to demonstrate improvements.

 

Here are some tips to keep handy:

 

  • The way to continue innovating and reducing risk in your organization is to think like a senior leader or businessman, and to include this thinking and approach in your budget planning. You’ll get a long way showing your support and may get your way in modernizing your business’s computing approach.
  • Brainstorm security initiatives that are cloud-based and help reinforce your roadmap, IT and business initiatives. Who knows, a security review of the new business application may require a control you previously could not get approved. Tack it on as a must-have requirement.
  • Not all benefits for a new project are for the business or IT. A step forward in modernizing a business application or updating old operating systems does support the security mission. Keep your eye on the prize – risk reduction! Go on the record as a supporter.
  • Look for ways to sell your security initiatives as compliance initiatives. Compliance gets the money when push comes to shove.
  • For capabilities that have higher strategic importance and lower organizational performance consider those for a strategic partnership with a trusted outsourcing partner.
  • Apply current staff to capabilities with high risk, low performance and higher strategic and organizational performance.
  • Establish “core competencies” for the team.
  • Measure and document. If risk goes up or stays the same and all efforts to get budget are rejected, ensure end of year reporting states why. Use numbers to show what the plan was, steps taken and ultimately why risk was impacted.

 

Finally, remember that you are part of a team. When a business decision is made, and you don’t get what you asked for, keep measuring and keep working to gain champions in the business and allegiance in IT. This is the best spend of your human capital and will not depreciate!

Mark Modisette
Executive Director, Executive Solutions, Office of the CISO
Zero Trust Technologist, Mark Modisette is a veteran information assurance and security executive with more than 20 years of experience in multiple industry sectors. Mark's recent experience with Optiv + ClearShark has focused on Zero Trust evangelist/author, and advisory services, where he works with organizations to design roadmaps, perform Zero Trust readiness reviews, and make recommendations to ensure successful ZT implementations. Additionally, Mark helps clients understand where to start with zero trust and how to utilize security program management and security risk management to ensure continued success in the implementation of Zero Trust concepts.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.