CISOs today are in a pinch. On one hand, the cybersecurity industry’s talent problem persists, with 3.4 million unfilled positions according to the (ISC)² Cybersecurity Workforce Study. And on the other hand, IT spending is facing tough headwinds amidst ongoing economic uncertainty and threats of a looming recession. Now more than ever, security teams must do more with less and answer to C-suites and boards that will likely look at each budget line item with increasing scrutiny. A new way to approach cybersecurity spending is needed.

Cost and Value Curves

One way of segmenting cybersecurity spending and investments is based on time horizons, i.e., strategic investments and tactical expenses. Strategic investments align with business goals but carry large ticket prices and take a long time to deliver meaningful ROI. Tactical expenses are short-term solutions to pressing risks but often don’t align with broader strategic goals. Both of these provide tough choices for the CISO—optimize for “quick wins” or for “delayed gratification.” A new class of solutions is emerging which have the capability to start small and grow big and provide “quick wins” without compromising on long-term goals. We shall talk about these later.

One might think that in today’s volatile economic climate, it would alleviate budgets to make shorter-term tactical expenses. But in the long run, that route often ends up being more expensive because those tools frequently break or never deliver a meaningful ROI, forcing you into a constant cycle of buying more tools. Higher-quality investments, on the other hand, may cost more up front, but because they will last longer and create a greater impact, they are less expensive in the long-term. For that reason, we’ll focus our attention on these investments.

The Cost Curve

In cybersecurity, an example of a complex but strategic solution is network intrusion detection (IDS). Such purchases are strategic and important but can take significant time to deploy, configure, train staff and align with day-to-day operations in the SOC. This translates to significant delays in ROI.

Represented visually, the cost curve of this purchase would look roughly like this:

The initial purchase and implementation form the left side of the curve: Organizations spend significant time and money to purchase, implement and operationalize the solution.

Over time, costs drop as the practice fully integrates the solution. Eventually, the curve flattens, representing the operational cost that runs for its lifetime. Barring further purchases, this curve remains largely unchanged over time.

SaaS and subscription-based models attempt to flatten this curve and they definitely have an effect but upfront costs in training, enablement, change management, and infrastructure still front-load costs to a large extent for enterprises.

The Value Curve

Similarly, every solution has an associated value curve. After all, that’s the whole reason for the purchase. Here’s an example of the conceptual value curve for our IDS:

This makes intuitive sense: At the time of initial purchase and implementation, there’s relatively little value. Over time, as deployment is completed and best practices form around the solution, more value will be delivered to the organization.

The Break-Even Period

For many solutions, this model holds true and forms a set of expectations for security decision-makers. As buyers are considering a purchase, it’s useful to combine these two curves:

At some point after the initial purchase and onboarding of the solution, the curves cross — this crossover point is the break-even period. As time goes on, realized value accrues. This realized value represents the ROI of the purchase over its lifetime.

Solutions that potentially fall into this category are software or appliances that require significant amounts of installation, configuration and operational integration like SOAR, NDR or SIEM. While important strategically, it’s common for these to take significant time to realize their full value; in extreme cases, it takes a year or more to realize significant value.

Operational Investments

Fortunately, not all security solutions share the same cost/value curves. Consider a solution that provides immediate tactical value to the organization but also provides long-term strategic alignment to the security practice, even if it evolves over time.

Collapsing the Curve

For solutions like this, we can combine the value and cost curves – note that value is realized immediately, and this value curve increases over time.

Such solutions represent an alternative to short-term “tactical expenses” and long-term “strategic investments,” and can be described as “operational investments.” Common characteristics of said solutions are:

1. Streamlined implementation: Easy to implement, with the ability to start small and grow into larger deployments.

2. Immediate value: The solution should be tactically useful right away.

3. Long-term alignment: As the organization’s security strategy changes or evolves, the solution can align and accommodate.

Additionally, an important point of emphasis for operational investments is to favor active protection over passive detection. While detection is strategically important, active protection and prevention are strongly preferred as these solutions tend to provide more immediate value, thereby increasing ROI and minimizing risk.

If you’re looking to make an operational investment purchase, start by identifying 1) critical assets (both digital and physical), 2) potential threats to these assets, 3) a list of solutions to protect these assets and 4) tactical and strategic priorities for the security practice. From there, prioritize solutions that are 1) protection-centric, 2) streamlined in deployment, 3) flexible and 4) align with a long-term strategy.

Ensuring ROI Amid Economic Uncertainty

With budgets under pressure, every cybersecurity purchase must be made with incredible intention. Knowing that short-term tactical expenses will likely lead to worse results and more money spent in the long run, organizations should prioritize longer-term investments. But you don’t need to settle for strategic investments that take years to drive results. Using the framework above for finding operational investments, businesses can glean long-term value but get the payback much quicker.