Security Budgets are Increasing, but ...
Security budgets are growing and that trend is expected to continue in the coming year. However, that growth is built more on security fears, privacy concerns and increased adoption rates of various security and compliance frameworks, than it is understanding any sort of business benefit of efficient and effective security and compliance operations.
Understanding this subtle difference shines a very bright light on an opportunity for security teams to position the value of adding a little more to the budget line. What is critical is highlighting the impact security and compliance can have on the overall business (i.e. revenue).
Yes, we are talking about attributing a measurable and accountable ROI to security and compliance. And being willing to stick your neck out on the value of effective security operations could provide your team a new lease on life.
How Security Operations Impact ROI
For most organizations, security and compliance budgets represent a cost center – insurance ...ish. They represent a necessity to operate. Rarely are the tools, services and team members working to protect your environments thought of as a value driver – never a revenue driver.
Because of this, it is increasingly difficult for security and compliance teams to compete for budgeting, especially went compared to teams like engineering or marketing, where an increase in investment means faster performance, more customers, happier users, etc.
However, diving into the different facets of your business security operations can impact, you can begin to see how the effectiveness of your teams security and compliance operations can directly result in measurable ROI outputs. Broaching the subject of budget is significantly easier when you can highlight value.
Tying security operations & compliance efficiency to measurable business improvements is critical to unlocking the budget needed to keep your organization its most secure..
3 Traditional Costs that Represent ROI Opportunities
Your security and compliance team's ability to assess, identify and remediate security concerns across your environment represents a baseline for managing your environment. Good or bad, you can effectively draw a line as your organization and its environment grows to predict the cost growth over time.
If efficiency and effectiveness is a problem when you are small, it will compound as your company grows. This happens for a couple reasons.
- Failing to integrate security tooling. Purpose-built solutions may seem like a way to save tooling costs, but there is additional time required to setup and use each additional tool, as well as how much effort is required to centralize data into a location for analysis. For its designed purpose, these tools are great. For analysis or compliance evidence, not so much.
- Failing to integrate security early on into your development process. When this happens, there is going to be a constant game of catch-up (or security whack-a-mole). Time spent chasing means your team is not able to focus on development of new products and features to drive revenue.
Each of these leads to ballooning security team costs to get a handle on what could actually be solved by approach and technology. Investing in your approach can reap measurable financial returns via significant cost savings.
Not only that, but getting this wrong bleeds in other areas (but on the bright side, provide more revenue impacting opportunities when done right).
Compliance audits can accrue a tooling cost upwards of $250,000 to complete. Also, these audits demand significant time investments from individuals across your organization. There are certainly solutions for cutting into those resource and tooling costs but what shouldn't be underestimated is the value these frameworks provide when talking with potential enterprise customers.
Large organizations are particularly wary of leaving themselves exposed. This can be one of the main drivers they stick with what they know when less expensive, more nimble and more flexible tooling exists. Showing an investment in compliance speaks volumes to how seriously your organization considers security.
This investment opens doors to new business that would otherwise not exist, no matter how hard a salesperson hustles. Improving speed & transparency during the sales process directly impacts your companies ability to close new business.
Sales Opportunity Costs
Streamlining and centralizing your organizations security operations can significantly reduce the time needed to perform robust security reviews. Adopting key security frameworks and compliance requirements also ensures enterprise organizations are familiar with your practices and policies. These are standards they have likely already adopted and expect of their vendors.
In both cases, the net result is increased speed. When we are talking about business speed, we are speaking in terms budget holders understand. Revenue and sales leaders understand speed is critical to winning in a competitive market. Talking about speed can help you bring interdepartmental allies to your cause because everyone truly wins.
Making the Case for Security Budget. The Right Way
When you've got your ducks in a row, focus on the value you think exists. The goal is to highlight revenue and ROI opportunities on getting the right tooling and team members in place. There are a couple of things to keep in mind as well:
- Don't build you sell on 'saving time.' Time savings, while real, are too soft and vague. Not to mention your team is going to be at work anyway. Focus instead on what capabilities would be enabled and the value that would have on new business and/or customer retention.
- Don't add excess tooling. The goal of this conversation would be to get the right pieces in place. In many instances there may be immediate savings by consolidating tools. That is ok – the savings should be repositioned as a reinvestment into something that enables new capabilities (like above).
Last of all, you can grease the wheels towards success if your team takes proactive steps to improve ROI (reduce or be more efficient with costs) on your own. Renegotiate existing terms, shift towards open source (free) solutions, etc.
We believe in the value security and compliance has on the organization. It's time to make that value more prominent as your team looks to get the right tools and frameworks in place.