Public companies face significant headwinds. High interest rates have increased the cost of capital, intense refactoring of supply chains has added new expenses, and many businesses have seen downturns in spending in their sector due to inflation. Delivering profits always takes leadership but now more than ever it is just plain hard. One approach most all businesses are taking in this environment is seeking ways to slash expenses. Even cybersecurity spend is under pressure.

Cybersecurity is one of those areas where cost cutting must be done with forethought. Cut the wrong things and it can lead to catastrophic results including government fines, criminal penalties and loss of customer confidence. Cut the right things and key risks can still be mitigated and they can be mitigated more efficiently.

We have worked with large enterprises for years to optimize spend while mitigating risks and know for a fact that with leadership and focus, prudent steps can be taken to reduce cybersecurity spend. The key: Take time to analyze your operational model and security infrastructure piece by piece. This enables a focus on risk mitigation while optimizing security spend.

Here are our best practices for reducing cybersecurity spending in large organizations, broken down into five steps:

1. Analyze Your Business’s Operational Model

Stay focused on generating business value, even when preparing to cut cybersecurity costs. To ensure you do so, technology leaders should review and ensure a deep understanding of the end-to-end operational business model, from sales to manufacturing to inventory and delivery. While this may seem unnecessary (especially to long term executives) the growth of outsourcing, extended supply chains and new technologies makes it difficult to keep up with the changes, so review your own organization with a goal of understanding the major entities and what they do. Start with the basics first: How does the company make money and what entities are involved in that. All large companies can be broken down into multiple entities responsible for steps and capturing this in this first step is important. It is important for follow on actions to have the outputs of this step in writing. Capture the entities and major activities in your business in a flow chart, that will help keep you and your team focused as you execute the following steps.

2. Map Entities and Data Flow: Track All Entities That Access Transactional Data

Having focused yourself on an up to date view of the company, now focus on the data that each entity generates and shares with other next entities.  One of the items to key on is the number of third parties that access and process sensitive information.  We have found that interviews with the data stewards in these organizations always reveals far more than any architecture diagrams or documentation will, so seek opportunities to meet with leaders in these organizations. Interview data stewards and other stakeholders to see if they outsource the work (hidden outsourcing is a dangerous phenomenon).  For each element of your flow chart from step #1, you should now have a set of data objects (e.g. customer data, orders, banking info, shipping details, etc). Carefully document everything.

3. Identify Mission-Critical Cybersecurity Processes 

Now that you have a clear view of the flow of mission critical data drill down deep into the security controls of your internal departments and all external entities as well. This is not for a check-the-box compliance drill, it is a chance to learn how things really work in your organization. Take the time to meet people who handle data and ask them to walk you through what they do and how they ensure corporate standards are maintained. Seek demos of any systems or controls you have questions about. For every data object from step #2 you should have a set of security processes and enabling products and services.

4. Fund Your Mission Critical Process, Cut The Rest 

Steps 1 to 3 provided a solid basis to focus available funds and cut non-essential functions.  Carefully document the company’s mission critical processes and the essential security processes that need to be in place; this is critical for executive buy in.  Also list all the non-critical functions that can be cut.  If things don’t look right, redo steps 1,2,3 again and again until you’re sure and ready for step #5.

5. Secure Executive Buy-In with a Comprehensive Report and Briefing 

Collect all your documentation (final report, interview notes, spreadsheets, screen shots, etc) and package into an executive briefing.  The final briefing should be succinct. How succinct? The meat will be on one page. Typical plans will be much larger of course, and could go on for 100 pages. But any plan should have a summary of no more than one page. We have worked with leaders to prepare and present numerous plans like this for companies in multiple industries. A best practice when presenting plans that address security budgets in times of budget cuts and prioritization is to have the people who provided input either with you or close by to address questions. This includes employees, contractors, supply chain partners.

We have used the five steps above in organizations and know for a fact that by focusing on the business and conducting a rigorous analysis you can find and cut the things that do not matter. And you can do so while reducing the risk that cost cutting will lead to disaster. Don’t wing it! And if you need help, reach out.