Cost Optimization
Where to start? What to consider?
The following are a few avenues that can be explored to optimize costs and, in most cases, reduce them.
I called it smart security, as good thinking is required to achieve cost optimization.
This post is an answer to a previous LinkedIn Post.
- Reduce incidents and their costs.
This is obvious, but fundamentally valid. - Security by design, not as an afterthought.
Retrofitting is typically very complex. It is almost impossible to reach the best result.
The cost is never low. - Adopt a risk-based approach.
Know where to invest your money and where to save it. - Simplify operations.
If operations are too complicated, resources are wasted, and sometimes quality may suffer.
This is not the same as saying operations can be simplistic. - Standardize and possibly reduce end-point images.
Any diversity without clear added value for the business should be avoided. - Simplify patching.
This is the bread and butter of security and needs to be executed every day.
Maximum effort and creativity need to go into this. There will be a clear ROI.- Reduce software complexity and numbers on endpoints
Users need the right tools, not 5 which do the same thing. - Keep a maximum on the latest version of the software/
(see also image reduction)
- Reduce software complexity and numbers on endpoints
- Prioritize VIPs (titleholders, privilege holders, secret holders)
This is part of the risk-based approach. - Identity and Access Management (IAM)
- Smart access control
- Reduce roles significantly to essentials (may sound counter-intuitive)
You can have many more roles than members in a team, but the complexity introduced will kill many of the advantages.
This will also help automation. - Reduce provisioning effort.
Automate as much as possible. - And finally, spend time on risk management.
If the provisioning consumes all the resources, IAM will never reach operational optimization and effective risk management.
- Once operations are simplified, standardized, and documented
- Think about outsourcing ops to lower-cost parties
- Website development
- Reduce development to a smaller number of 3rd parties (if external) which are easier to cooperate with and have a verified secure coding process
- Shift from pen testing to secure coding practices and tools.
Pen testing is the step before going live, and many findings will result in many negative cost implications.
- Automate some operations after a careful ROI study
You can throw resources (which you may not have) at problems.
While some investment is necessary before a return is visible, this is the only way to scale and save, especially on the key processes. - Be careful on security software tool choices - cannot manage, too complicated, no ROI
Get the right tools, make your tools work together, and limit the number. Otherwise, you are wasting money. - Another post any day soon on Cost Optimization in the Cloud. Stay tuned.
Guy MARONG
Managing Partner, Cubic Consulting SARL