Strategies for Handling Budget Constraints Impacting Security and Compliance

If you are an ambitious SaaS company or any organization performing services in which you handle client data, then management of sound security practices and demonstrating those practices through compliance initiatives is no longer a “to-do-list” item. It is necessary in the modern business landscape.  Security compliance initiatives such as SOC 2 or ISO 27001 are becoming a requirement much earlier in business lifecycles than they were just a few years ago.  Founders, CTOs, and management of fast-growing startups should strive to anticipate customer requests and have documentation available when requests for security reports come in.  A common concern we see in these managers is the compounding costs generally associated with security and compliance initiatives. This is a reasonable concern, particularly in fast growing organizations with strict budgets. Across hundreds of audits, and even more industry connections, I’ve identified a few focus areas where I’ve seen companies successfully strategize around these budget constraints.

Redefining Security as a Value Driver 

The first is to shift the paradigm that security is a cost center.  Security should be an activity that drives revenue and reduces risks (i.e., costs).  Revenue growth occurs by selling to clients and industries where a lack of demonstrable security measures would have otherwise disqualified your organization as a vendor. Robust security practices can also be a market differentiator, particularly if you can demonstrate better security protocols than your competitors.  Compliance initiatives are all about trust, and trust is a key tenant of sales. 

Security is ultimately about reducing risks. A well implemented risk management strategy should pay for itself in the reduced costs it created for your organization over time.  Therefore, a good security strategy is a value generator to both the top and bottom line of a company and should not be considered a cost center but rather an investment with beneficial return.  But this is only the case if you are strategic, intentional, and execute well. 

So even if we understand that security and compliance can be a value creator, we still have to deal with that unfortunate budget. There are two ways to approach budget concerns for security and compliance initiatives:  

1. Reduce direct costs; and

2. Maximize return on investment

Cost Reduction Strategies

Reducing direct costs is the obvious choice that most companies look to first. It is important to be reasonable when it comes to costs, particularly in smaller organizations. However, you typically get far better results by focusing on the return on your investment. Direct cost reduction inversely impacts the reliability, effectiveness, and marketability of your program. This unfortunately has an outsized impact on the return on your security investment vs the savings in direct costs.  However, let’s look at some viable cost reduction strategies:

1) Automate what you can to relieve internal resource time

Security and compliance management platforms have stormed the market and there are plenty of project management and tasking tools which can be leveraged to automate security tasks and even the collection of audit artifacts.  These are big positives, but you must evaluate vendors thoroughly as they will add to your tooling costs.  Any tool should have a positive return on investment via your saved time. Leveraging tooling should save you more labor cost than the cost of the tool. You should also never attempt to automate governance and strategic management of your program. Over-reliance on tooling for these key aspects commonly leads to a poor-quality program which will again diminish the return on the investment and lead security initiatives that are misaligned with business objectives. However, if done correctly, automation can create huge savings in time, and therefore, labor costs. 

2) Reduce audit costs

There are multiple ways to reduce audit costs. Save your auditor time by being prepared and providing timely artifacts and responses to inquiries. You can also choose a less costly audit firm. Caution is warranted here as the cheapest audit firms often have a negative perception and their name will be in your audit report. You also do not want to jeopardize the quality and reliability of your audit report.  The last thing you want to do is go through all of this effort and your report gets rejected by a prospect because it is overly vague, the auditor’s test approaches did not appear sufficient, or the auditor has a negative perception in the market.  We generally see the top end of the spectrum of audit firms have brand perception, but quality can vary widely depending on the audit team you get. The bottom end of the price spectrum consists of very low-quality volume-based firms that can hardly be perceived as reliable.  Aim for somewhere in the middle here. 

3) Pick one compliance framework and maximize Its usefulness

Differentiation across multiple compliance frameworks can be a great strategy but if you are just getting started it may make more sense to pick a single framework and really dig into it.  By really understanding and maximizing the usefulness of one framework and reporting process (we usually recommend SOC 2 due to its flexibility) you can reduce audit and compliance costs without sacrificing the quality of your program. For instance, if correctly done a SOC 2 report could report on concepts applicable to various frameworks or regulations in the single report.

4) Use an outsourced consultancy rather than hiring full time employees

Security and compliance are constantly evolving industries. Trying to find one unicorn employee that can do it all may not be practical.  However, outsourcing to a competent consultancy can save you a lot of internal bandwidth costs as well as the costs associated with hiring employees. Often times consultancies will have personnel with cross-functional competencies that can handle your account as a team for less cost than a full-time hire. A consultancy may also save you on additional tooling costs as they may already have the monitoring infrastructure in place or incorporate that tooling into their pricing. 

5) Simplify your security program

Sometimes it just might make sense to keep it simple. Implementing only the most impactful security controls based on your risk profile will reduce the operational burden of your program and your audit costs as well. The key to this exercise is performing a well thought out and holistic assessment of risks based on your chosen security framework and implementing controls that have the most impact toward mitigating your identified risks. A streamlined program will reduce operational costs as well as simplify the audit. Simplification is a great strategy if you are just getting started, but it still takes a level of strategic thought and prioritization to ensure you have your bases covered while reducing unnecceary bloat.  

Maximizing Return on Investment in Security

While reducing direct costs can help with immediate budget constraints, this isn’t necessarily the best long-term strategy. Reducing direct costs when it comes to security and compliance has an inverse relationship to the return on your investment (you get out what you put in). A more beneficial long-term strategy is to focus on maximizing the return on any invested time and costs. The return on investment with a well-run security and compliance program should outweigh the direct costs, otherwise why are we doing it? Let’s go over a few tips on how to maximize the return on your investment:

1) Avoid a box checking mentality

Security and risk reduction should be the aim of your program. When that is the focus then compliance naturally becomes a biproduct. Seeking just to check boxes for compliance purposes leads to poor quality programs that become more of a cost center than an investment.  Check-the-box programs become bloated, vague, aren’t business aligned, and are less marketable causing brand reputation damage. They also will not do a great job of reducing risks to save on long term costs associated with security incidents. Security should be strategic, based on your unique risk profile, and positive value.

2) Understand what your customers care about

Know how your services impact the security of your customers and implement procedures to reduce their risk of interacting with you. Customer-centric security is key to driving trust and topline growth. Sophisticated customers are going to have some sort of vendor risk analysis prior to onboarding your service and likely on an ongoing basis afterward.  Get ahead of them by anticipating their security needs and implementing controls specifically designed to address their risk of doing business with you. By doing so your security and compliance program becomes a marketing catalyst and competitive differentiator.  If you have a security report where you can convey these details, such as a SOC 2, make sure you articulate the work you’ve done.  Don’t let all that excellent work go to waste by allowing your report to be scripted and vague. Beef it up and toot your own horn to let those prospective customers know they can trust you. If you are proactively addressing customer concerns, you will immediately streamline their due diligence and give yourself a leg up in the vetting process.  All leading to quicker deals and more revenue for you.

3) Analyze Revenue and Cost Impacts

Analyzing the value of a typical deal in your business will help you determine how much to invest in your security/compliance initiatives. You should determine three things:

  • What are your current deals worth
  • How many of your current deals are held back by a lack of security compliance
  • Will demonstrable security/compliance help you break into higher value deals? If so, what is the value of those deals

This should help you determine the top line impact a security and compliance program will have.

Next do some research on typical costs associated with breaches and incident response efforts in your industry and organizations of your size. With this information you should be able to estimate the cost impact on your organization if a similar incident occurred. A security program will not eliminate this cost altogether, but it can reduce the likelihood of the cost materializing and the impact if such an incident did occur.

Let’s workshop it: Your typical deal size is $30k per year with a profit margin of 30%. You believe your lack of demonstrable security compliance currently disqualifies one deal per year. That is worth $9k to your business.  However, you are trying to move up market and sell to more enterprise clients where a typical deal is worth $60k but you are immediately disqualified from any prospective clients at this level without a security report.  You think you could land a couple clients a year at this level if you could get past the security team.  With your security program qualifying you for these clients that’s an extra $36k of profit assuming the same 30% margins.  Total cash flow impact of additional revenue generated by a security and compliance program equals $45k per year.

Now you’ve done some research and found that a typical breach in your industry costs a business of your size $100k in incident response, mitigation, and legal payments and another $30k in lost business (one of your clients leaves due to the incident). You estimate an incident like this can be expected to occur once every ten years.  That would be an estimated cost of $13,000 per year ($130k/10 years) . You estimate that your security program would extend the expected time of incident to once per 20 years and save on 20% of impact cost.  Thats a new cost estimate of $5,200 per year (130k x .8 / 20 years).  Total cost savings of your security program is $7,800 per year ($13,000 – $5,200). 

You now need to combine the revenue value and cost value for a total value of your security and compliance program.  In this example your total value is $54,800 per year ($45,000 + $7,800) if you implement a security and compliance program. Your investment should be equal to or less than this number.

4) Invest time in a good risk assessment

A good risk assessment is the foundation of any security program. Establish objectives for  your program and assess the risks toward achieving those objectives.  This will reduce your security risk exposure and help ensure you are prioritizing controls in the most impactful areas to reduce your risk profile. A good risk assessment will lead to a streamlined program delivering the most return to your business.  A good risk assessment will determine if the benefit of implementing a control outweighs the cost associated with its implementation.  It doesn’t make sense to implement controls if they are more costly than the impact of the risk they are intended to satisfy – this is how you should think about the relationship between risks and controls.  The only way to determine this is through a thorough and business-focused risk analysis. If you don’t have the time or expertise to do this in-house, then you should consider bringing in outside expertise in this area. Don’t fall into the temptation of “just enough for compliance” here.  Your risk assessment is the most strategic component of your entire program, and it requires attention to deliver return.

5) Invest in a good audit partner

A good audit partner should help you optimize your program, provide insights on your environment, best practice advice, take a customized approach tailored to your specific procedures, ensure your report is documented with sufficient specificity and uniqueness to be perceived as reliable in the marketplace, have a brand that is perceived as reliable, and overall be pleasurable to work with. Hiring a poor audit partner is like hiring a physical trainer just to say you have one.  Wouldn’t you rather have a coach to help you get in shape?

A good auditor should learn your business and be a trusted advisor. Their reputation should help build trust externally and their thoroughness should build confidence internally.  A poor auditor is almost certainly a cost center with little actual return to your business. Make sure your audit firm is providing you with real professionals with tenure, licenses/certifications, and expertise. You should also have access to a partner in the firm. 

6) Market what you’ve accomplished

You worked hard on this initiative, now tell the world about it.  But make sure you say the right things! It immediately discredits an organization when their marketing team says they underwent a “rigorous SOC 2 certification”  (its not a certification by the way – that’s for another article). Make sure you work with your auditor, consultant, or in-house security team prior to making those press releases so you can be sure your verbiage is appropriate.

7) Know your competition

What are your competitors doing with respect to security and ensure you are doing at least that much. Remember, if done right security can be a market differentiator and selling point. But that only works if you’re better than the competition and can articulate it.

8) Proactively Provide Your Annual Report to Customers

Waiting on them to ask for it reduces your ability to brag about what you are doing and show them you care.  Be proactive and ship that report to your customers to drive retention. Their security and GRC professionals will appreciate you saving them time.

9) Harmonize multiple compliance efforts to maximize impact

A well-organized strategy combined with a good audit partner can help you to gain efficiency across multiple frameworks.  Each additional security compliance initiative should have an outsized ratio of return on investment. A good audit firm should be able to perform cross-framework mappings and audit once while reporting across many frameworks.  These synergies should create an incremental reduction in both internal and external direct cost while allowing you to demonstrate a much more holistic and differentiated security program.

Conclusion: Balancing Costs and Benefits in Security Initiatives

Dealing with the allocation of funds is something all organizations have to manage. When it comes to allocating funds toward security and compliance, as with any other aspect of your business, the primary focus should be on the expected return on the investment. Security and compliance will be a cost center to your organization if you seek to cut corners and skate-by for a compliance report. However, if done appropriately and strategically, security and compliance will drive positive value to any organization.

 

Speak with one of our experts if you’d like to learn more about how we help organizations maximize the value of security and compliance.

Written By:

Dale Crump

Dale Crump is the Founder and Managing Partner of Assurance Point, LLC. Dale oversees a variety of attestation and advisory engagements within the information security, privacy, risk management, and compliance sectors.

He has broad experience across an array of internal control and risk management frameworks and specializes in SOC reporting, having contributed to the issuance of over a thousand high-quality reports in his career.

Dale is a licensed CPA, and holds additional certifications including the CISSP, CISA, CIPP/US, CCSK, ISO 27001 Lead Auditor, and the Advanced SOC for Service Organizations credential. Dale is an active member of the AICPA, Georgia Society of CPAS, ISACA, and the IAPP, among others. In his spare time Dale is an avid outdoors enthusiast, Atlanta sports fan, and enjoys spending time with his two kids.

What Are SOC Reports – The Basics 2

SOC 1 vs SOC 2: Choosing the Right Examination

System and Organization Controls 1 and 2 (SOC 1 and SOC 2) reports are both related tointernal controls within organizations, but they serve different purposes and audiences. Whichone is right for your organization? It will depend on the use case of the report and...

Security Events vs. Security Incidents

Security Events vs. Security Incidents

In the world of cybersecurity, a common misunderstanding often exists within organizations - the distinction between security events and security incidents. We audit a lot of organizations’ incident management protocols, and the lack of a distinction between event...

How to Evaluate Auditors 2

How to Evaluate Auditors

Selecting an audit firm can, and probably should, feel daunting. After all, you hopefully will work with this firm for many years to come, so it shouldn’t be a rushed decision. Many organizations make the mistake of letting cost be the primary driver of choosing an...

Factors That Create a Positive Compliance Experience

Factors That Create a Positive Compliance Experience

There is no doubt in my mind that I have seen vastly more audit horror stories and unsatisfied auditees on public forums and social media than I have seen people raving about a positive audit experience. Auditing is an extremely tough profession, and we auditors...

How to Prepare for a SOC 2 Security Assessment 2

How to Prepare for a SOC 2 Security Assessment

Security assessments, such as SOC 2 reports, are increasingly becoming a requirement in modern business. Organizations often approach us needing a SOC 2 but need help knowing where to start. So, let's break down the significant steps in preparing for a SOC 2....

What Are SOC Reports – The Basics 2

What Are SOC Reports – The Basics

Introduction System and Organization Controls (SOC) reports have become one of the most common methods for organizations to demonstrate their services and provide stakeholders assurance over their internal control environments. SOC reports can seem like a very...