Cost Optimization

Where to start? What to consider?

The following are a few avenues that can be explored to optimize costs and, in most cases, reduce them.
I called it smart security, as good thinking is required to achieve cost optimization.
This post is an answer to a previous LinkedIn Post.

  • Reduce incidents and their costs.
    This is obvious, but fundamentally valid.
  • Security by design, not as an afterthought.
    Retrofitting is typically very complex. It is almost impossible to reach the best result.
    The cost is never low.
  • Adopt a risk-based approach.
    Know where to invest your money and where to save it.
  • Simplify operations.
    If operations are too complicated, resources are wasted, and sometimes quality may suffer.
    This is not the same as saying operations can be simplistic.
  • Standardize and possibly reduce end-point images.
    Any diversity without clear added value for the business should be avoided.
  • Simplify patching.
    This is the bread and butter of security and needs to be executed every day.
    Maximum effort and creativity need to go into this. There will be a clear ROI.
    • Reduce software complexity and numbers on endpoints
      Users need the right tools, not 5 which do the same thing.
    • Keep a maximum on the latest version of the software/
      (see also image reduction)
  • Prioritize VIPs (titleholders, privilege holders, secret holders)
    This is part of the risk-based approach.
  • Identity and Access Management (IAM)
    • Smart access control
    • Reduce roles significantly to essentials (may sound counter-intuitive)
      You can have many more roles than members in a team, but the complexity introduced will kill many of the advantages.
      This will also help automation.
    • Reduce provisioning effort.
      Automate as much as possible.
    • And finally, spend time on risk management.
      If the provisioning consumes all the resources, IAM will never reach operational optimization and effective risk management.
  • Once operations are simplified, standardized, and documented
    • Think about outsourcing ops to lower-cost parties
  • Website development
    • Reduce development to a smaller number of 3rd parties (if external) which are easier to cooperate with and have a verified secure coding process
    • Shift from pen testing to secure coding practices and tools.
      Pen testing is the step before going live, and many findings will result in many negative cost implications.
  • Automate some operations after a careful ROI study
    You can throw resources (which you may not have) at problems.
    While some investment is necessary before a return is visible, this is the only way to scale and save, especially on the key processes.
  • Be careful on security software tool choices - cannot manage, too complicated, no ROI
    Get the right tools, make your tools work together, and limit the number. Otherwise, you are wasting money.
  • Another post any day soon on Cost Optimization in the Cloud. Stay tuned.

Guy MARONG
Managing Partner, Cubic Consulting SARL

Previous Post Next Post