Making the Most with Less: A CISO’s Guide to Budget Scrutiny & Technology Consolidation

For years, cybersecurity teams had a blank check to spend on their efforts. Between rampant ransomware, an exploded distributed workforce post-pandemic, and the uncertainty surrounding digital transformation, CISOs and security teams were given the reins to spend how they pleased.

That’s no longer the case. Now, economic headwinds are leading to trimmed budgets and cut resources. To make matters more challenging, sophisticated boards are asking harder questions around cyber risk and exposure. Not only are CISOs working hard to justify and measure their program, they’ve had to become more data-driven in the way they execute towards company initiatives. And they’re doing it all amidst an unstable economy and a fluctuating business environment. 

As economic pressures increase, CISOs are working more strategically with their resources and looking at the ROI of their technology investments to get the most out of their solutions. When tackling the strategy around budget scrutiny and technology consolidations, CISOs need to pay attention to three key areas when choosing which solutions to continue investing in, or how to work differently with what they have.

3 efficiencies to watch for when consolidating technology

The board of directors and key stakeholders are putting CISOs under greater scrutiny, and not just with cyber risk outcomes. In a recent CNBC article, Daniel Soo, the risk and financial advisory principal with Deloitte, stated, “Cybersecurity is not immune to economic pressures and uncertainty. Cybersecurity executives are under increased pressure to improve efficiencies and are often expected to do more with less.” CNBC isn’t alone in reporting on tighter budgets. The Wall Street Journal reported, “[CISOs] are often being asked to do more with the resources they have” and as cyber budgets go down, there is “greater scrutiny of how security money is being spent.” 

It isn’t just about CISOs needing to pull back on new software and services they may find valuable to their tech stack. It’s also about potentially pulling out on software renewals that may not be fitting the bill, or using a solution they already have that provides similar capabilities and features. As CISOs look to consolidate technology, there are three efficiencies to consider:

1. Data efficiencies. When using multiple solutions, sometimes the data outputs don’t match up. For example, if a team is using one product for their governance and security analytics purposes, and another product to manage their attack surface, the data feeding into each might not completely align. This discrepancy puts CISOs in a tough predicament when sharing insights and results with the board or stakeholders. But if the same tool covers use cases for governance and external exposure, all the data concepts and outputs will be familiar to the stakeholders.
2. Operational efficiencies. When a cybersecurity team is operationalizing their processes with vendors and technologies, some of the tools may have multiple capabilities they aren’t utilizing. If CISOs can consolidate capabilities spread throughout multiple tools into one (or even a few), then the corresponding processes become much easier to manage.
3. Cost efficiencies. This goes without saying, but the easiest way to save on cost is to avoid investing in multiple tools when one can do the capabilities of several. Also consider that investing in fewer tools alleviates costs with training and onboarding, maintenance, and management.

Bitsight for budgeting and technology consolidation

As CISOs begin consolidating technology and looking for ways to cut spend, they must consider what data, operational, and cost efficiencies they stand to gain with each solution. The vendors that bubble to the top should be able to solve for multiple use cases with trusted outputs and insights that CISOs can take action on. 

By using Bitsight’s cyber risk management solution, CISOs gain efficiencies in all three areas:

1. Data efficiencies. Bitsight delivers the most extensive cyber risk data in the market in our offerings, with a consistency in data amongst a variety of use cases—from cyber governance and analytics to external attack surface to monitoring supply chain risk. CISOs already familiar with Bitsight’s applications and cyber performance metrics (such as our 23 risk vectors) can spend more time talking about performance and less time translating it.
2. Operational efficiencies. Bitsight provides applications for governance, monitoring, external attack surface management, cyber risk quantification, and vendor risk management. In addition, Bitsight provides a managed services option to manage these applications rather than hiring additional headcount or shuffling resources. By consolidating use cases into one vendor, with the ability to scale up or down during peak times, CISOs streamline and simplify their operational processes.
3. Cost efficiencies. Once again, the cost efficiencies of using one vendor for multiple use cases instead of several vendors for each unique use case are obvious. Bitsight also enables security teams to get more capabilities for less with our unique packaging options.

Save budget—or justify more

Not only can Bitsight empower CISOs to gain data, operational, and cost efficiencies, they can also use Bitsight data to justify initiatives. As stated by Soo in the CNBC article, “CISOs should be ready to justify spend.”

Whether for additional budget and buy-in for projects or justifying consolidation decisions, CISOs use Bitsight for budgeting purposes. Aveva’s chief security officer and senior vice president of information security, Tim Grieveson, harnesses the power of Bitsight to “quickly visualize the risk burndown of proposed security investments and the financial risk of not allocating funds to certain areas of our security program. Bitsight gave us a new lens to really question if we were spending money in the right place and the impacts of those investments on our security posture.”

For more information on common challenges the CISO needs to face and best practices, check out our Evolution of the CISO ebook.