Managing Director, BCG Platinion
Washington, DC
By Nadya Bartol, Charlie Weinberg, Vijay Pasupathinathan, Chris White, and Nadine Moore
Many companies are squeezing budgets to free up resources for growth. BCG’s CEO Outlook 2023 showed how the most resilient leaders are funding innovation, sustainability, and other critical projects through tight control of costs. For the Chief Information Security Officer (CISO), this may mean a new era. Increasingly, they are being asked to improve cybersecurity with historically small budget increases. Some may even be asked to spend less. Is it possible to reduce risk in this environment?
Surprisingly, the answer is yes. Implementing a comprehensive cost resilience process can maintain—and often improve—an organization’s risk profile. When optimizing the cyber budget, a CISO will review people, processes, and technology to identify gaps and inefficiencies. Addressing these will allow risks to be reduced while spending is held steady.
In some cases, costs can even be reduced. Consider BCG’s recent work with a mid-sized commercial/retail bank to improve security without increasing costs. Our team conducted interviews and workshops with executive and staff-level stakeholders, analyzed systems and processes, and benchmarked them against best practices in other banks. The project cut 8% from the annual cybersecurity budget while aligning cyber risks with business risk appetite. Key actions and benefits included:
The increased focus on cost control was highlighted in our 2023 survey of cybersecurity leaders, conducted in association with GLG, an insight network that provides access to expert perspectives. In a difficult economic environment, cyber leaders expect to see annual budget increases of about 4%—in line with vendor price increases—instead of the more typical 8%. However, the pressure to minimize risk remains unrelenting: BCG’s most recent survey of IT buyers shows that improved security remains a Top 3 concern. (See Exhibit 1.)
Clearly, any cost resilience program must be managed carefully; an organization that cuts corners on cybersecurity is on the fast track to a crisis. Risks continue to proliferate, with ongoing digital transformation increasing the impact of any disruption and attackers deploying new technologies, such as AI.
An important starting point is to look at return on investment. In the BCG survey of cyber leaders, 56% of CISOs in the “advanced” quintile for cyber maturity said they consistently measure cybersecurity ROI; for those in the “unprepared” category, this was just 22%. ROI should provide the yardstick for action as improvements are planned, forcing an alignment between spending and results in the form of reduced risk.
Based on our extensive work with cost resilience initiatives and cybersecurity, we have identified six action areas that can help organizations provide optimal security while controlling costs. Estimated security budget savings from each action are also indicated.
Although IT security leaders may be keen to get started, we urge a moment of caution. A rigorous approach must be deployed to maximize cost savings without damaging the organization’s cybersecurity risk profile. In addition, each organization has a distinct cyber risk profile due to differences in technology, threat landscape, and business priorities; there is no one-size-fits-all method to protect against risks.
The process should begin with a short, one- to two-week diagnostic to identify action areas with the most significant possible savings, followed by selecting the method that best addresses those areas. Multiple methods will sometimes be deployed; if so, they must be carefully sequenced.
We have identified five methods that can be deployed to create a roadmap for cutting costs while maintaining security.
The output from CRQ is a prioritized list of actions that can range across the entire cybersecurity operation, from sourcing strategies to improved workflow—providing a foundation for enhancing the risk profile while still containing costs. They focus management attention on activities that yield big savings rather than those that are quick or easy.
Whatever the approach, the final, and critical, step in the process is preparing and implementing the cyber cost resilience program. A short-term, cross-functional team is required to manage execution, pushing through the quick wins while establishing a change management plan for processes that require a more complex organizational response. Throughout the process, measuring the impact on costs is essential to validate objectives.
Across many firms, cost control is the new imperative. The BCG CEO Outlook 2023 showed that company-wide savings are being invested not just in innovation and sustainability but in up-skilling, improving supply chains, and many other projects that require additional resources in turbulent times. As such, the cost pressures on CISOs are unlikely to ease despite increasingly potent cyber threats to the organization.
Yet it is possible to reconcile these imperatives—indeed, skillful management can contain costs while enhancing security if suitable methodologies are implemented. Even when budgets were more generous, the steps outlined in this article were beneficial; in today’s more challenging times, they are essential.
Related Content
Read more insights from BCG’s teams of experts.
A survey of chief information security officers reveals how advanced companies gain cyber maturity and what best practices they use to prepare for emerging threats in economically uncertain times.
BCG managing director and partner Paul O’Rourke talks about the inevitability of breaches, the increasing focus on safeguarding personal data, and the cyber skills every company needs.
There’s a huge opportunity to expand the numbers and capabilities of the cybersecurity workforce by attracting women to the field.