I Like Cheese – Please Stop Talking About Cost Cutting – Instead Focus On Cost Optimization
I’m Jeffrey Wheatman, Cyber Risk Evangelist at Black Kite and I love cheese, who doesn’t love cheese? If you don’t love cheese, we can’t be friends. Also, chocolate. And Sci-fi movies. And Stephen King, and The Dresden files, and the NY Giants football team … sorry … that happens sometimes.
Today we are talking about cheese – actually, we are using cheese as a metaphor for cost cutting versus cost optimization.
I really like Swiss cheese, but it has holes and when you put it on a sandwich the mayo, or mustard, or heaven forbid ketchup (I don’t like ketchup, but don’t get me started) leaks through the holes. However, Muenster cheese has no holes. When you put Muenster on a sandwich, nothing leaks. In fact, the cheese spreads the condiments equally and you get deliciousness in every bite.
Here is the actual metaphor. Swiss cheese is cost cutting, Muenster is cost optimization. Cost cutting frequently results in dropping controls or tools, leaving gaps where attackers can get through. Cost cutting ends in losing layers of protection, like lettuce or tomato. Less layers and less protection, leading to more risk exposure.
Dropping tools or eliminating controls usually leads to worse security than shifting service levels across the range of all your controls. Instead of getting rid of controls, you should be looking for opportunities to keep as many of the useful tools you have and engage with technical staff and business executives to adjust how the controls are deployed to optimize your investments. Here is a simple example to illustrate what I mean –
- Currently you may patch systems in seven days at a cost of ‘X.’ Instead of canceling your contract with your patching vendor, maybe you decide to patch in 30 days at a cost of two-thirds ‘X.’
Another approach would be to look for tools that provide automation to replace an expensive (either tool or human capital) process. An example might be –
- You may be spending ‘Y’ – a lot of money for a GRC tool to manage your third-party risk management program. Instead, you can look for a tool (Black Kite, of course being the best and only choice☺) that can automate data collection and provide real time visibility into the posture of your vendors and other third-parties. This is a fraction of the price you pay for a GRC platform.
Another approach would be to engage with a partner that can supplement your security efforts. While this might not always save money, it will provide finance folks with a stable monthly bill rather than periodic spikes. Most CFOs don’t like spikes.
CFOs tend to like stable and predictable. These efforts are often quite useful in getting ahead of the curve and staying under the radar when executives start looking for places to trim the fat, as it were.
There are many ways to optimize your investments without sacrificing your risk and security posture. Be the Muenster and not the Swiss. I also like cheddar.
Stay safe, stay healthy, stay secure.