Managing Director, BCG Platinion
Many companies are squeezing budgets to free up resources for growth. BCG’s CEO Outlook 2023 showed how the most resilient leaders are funding innovation, sustainability, and other critical projects through tight control of costs. For the Chief Information Security Officer (CISO), this may mean a new era. Increasingly, they are being asked to improve cybersecurity with historically small budget increases. Some may even be asked to spend less. Is it possible to reduce risk in this environment?
Surprisingly, the answer is yes. Implementing a comprehensive cost resilience process can maintain—and often improve—an organization’s risk profile. When optimizing the cyber budget, a CISO will review people, processes, and technology to identify gaps and inefficiencies. Addressing these will allow risks to be reduced while spending is held steady.
In some cases, costs can even be reduced. Consider BCG’s recent work with a mid-sized commercial/retail bank to improve security without increasing costs. Our team conducted interviews and workshops with executive and staff-level stakeholders, analyzed systems and processes, and benchmarked them against best practices in other banks. The project cut 8% from the annual cybersecurity budget while aligning cyber risks with business risk appetite. Key actions and benefits included:
The increased focus on cost control was highlighted in our 2023 survey of cybersecurity leaders, conducted in association with GLG, an insight network that provides access to expert perspectives. In a difficult economic environment, cyber leaders expect to see annual budget increases of about 4%—in line with vendor price increases—instead of the more typical 8%. However, the pressure to minimize risk remains unrelenting: BCG’s most recent survey of IT buyers shows that improved security remains a Top 3 concern. (See Exhibit 1.)
Clearly, any cost resilience program must be managed carefully; an organization that cuts corners on cybersecurity is on the fast track to a crisis. Risks continue to proliferate, with ongoing digital transformation increasing the impact of any disruption and attackers deploying new technologies, such as AI.
An important starting point is to look at return on investment. In the BCG survey of cyber leaders, 56% of CISOs in the “advanced” quintile for cyber maturity said they consistently measure cybersecurity ROI; for those in the “unprepared” category, this was just 22%. ROI should provide the yardstick for action as improvements are planned, forcing an alignment between spending and results in the form of reduced risk.
Based on our extensive work with cost resilience initiatives and cybersecurity, we have identified six action areas that can help organizations provide optimal security while controlling costs. Estimated security budget savings from each action are also indicated.
Although IT security leaders may be keen to get started, we urge a moment of caution. A rigorous approach must be deployed to maximize cost savings without damaging the organization’s cybersecurity risk profile. In addition, each organization has a distinct cyber risk profile due to differences in technology, threat landscape, and business priorities; there is no one-size-fits-all method to protect against risks.
The process should begin with a short, one- to two-week diagnostic to identify action areas with the most significant possible savings, followed by selecting the method that best addresses those areas. Multiple methods will sometimes be deployed; if so, they must be carefully sequenced.
We have identified five methods that can be deployed to create a roadmap for cutting costs while maintaining security.
The output from CRQ is a prioritized list of actions that can range across the entire cybersecurity operation, from sourcing strategies to improved workflow—providing a foundation for enhancing the risk profile while still containing costs. They focus management attention on activities that yield big savings rather than those that are quick or easy.
Whatever the approach, the final, and critical, step in the process is preparing and implementing the cyber cost resilience program. A short-term, cross-functional team is required to manage execution, pushing through the quick wins while establishing a change management plan for processes that require a more complex organizational response. Throughout the process, measuring the impact on costs is essential to validate objectives.
Across many firms, cost control is the new imperative. The BCG CEO Outlook 2023 showed that company-wide savings are being invested not just in innovation and sustainability but in up-skilling, improving supply chains, and many other projects that require additional resources in turbulent times. As such, the cost pressures on CISOs are unlikely to ease despite increasingly potent cyber threats to the organization.
Yet it is possible to reconcile these imperatives—indeed, skillful management can contain costs while enhancing security if suitable methodologies are implemented. Even when budgets were more generous, the steps outlined in this article were beneficial; in today’s more challenging times, they are essential.
ABOUT BOSTON CONSULTING GROUP
Boston Consulting Group partners with leaders in business and society to tackle their most important challenges and capture their greatest opportunities. BCG was the pioneer in business strategy when it was founded in 1963. Today, we work closely with clients to embrace a transformational approach aimed at benefiting all stakeholders—empowering organizations to grow, build sustainable competitive advantage, and drive positive societal impact.
Our diverse, global teams bring deep industry and functional expertise and a range of perspectives that question the status quo and spark change. BCG delivers solutions through leading-edge management consulting, technology and design, and corporate and digital ventures. We work in a uniquely collaborative model across the firm and throughout all levels of the client organization, fueled by the goal of helping our clients thrive and enabling them to make the world a better place.
© Boston Consulting Group 2023. All rights reserved.
For information or permission to reprint, please contact BCG at firstname.lastname@example.org. To find the latest BCG content and register to receive e-alerts on this topic or others, please visit bcg.com. Follow Boston Consulting Group on Facebook and X (formerly Twitter).