In an era whereby remote working has become the norm and cloud-based storage solutions are rapidly replacing legacy frameworks, the importance of cyber security is becoming prevalent across organisations worldwide. This is further exacerbated by increasingly stringent rules and regulations regarding customer privacy and the obligations that businesses hold towards consumers to protect their data accordingly. Enter the need for businesses to procure new IT security solutions. But what constitutes as a good security procurement strategy and how can organisations weigh up the ROI of different cyber security solutions?
With companies now dealing with a great deal of their operational tasks online, and employees often working remotely, cyber security threats are an inevitable aspect of modern business.
Threats are most commonly associated with hacking attempts, but in reality, most security threats come from internal misuse of company systems and devices (such as company mobiles). Of course, this is not to say that employees deliberately compromise company security, but rather that they inadvertently do so by using company devices for occasional personal use, failing to update company devices when prompted to do so, or through accessing company materials online from unsecure locations. This can result in the accidental download of phishing scams or malware, which can then make its way through the entire organisational framework.
With the latter in mind, it’s unsurprising that many organisations also deploy security best-practice training amongst their employees as part of their cyber security strategy.
With the pressure put on organisations to consistently prove they are upkeeping efforts to protect consumer data; it can be tempting to lap up the latest security software as and when it is advertised to your business. However, purchasing new security solutions is not always the answer and can result in more work to ensure that data integrations between new and existing software are secure.
Further to this, purchasing security software in and of itself is not truly a viable strategy. IT security procurement should be undertaken on a ‘needs’ basis. As with all organisational purchases, this should follow a thorough assessment of organisational activities to identify weaknesses and the corresponding software requirements to address these weaknesses.
Unlike other software or technological procurements - in which technology may be implemented to improve efficiency and thus improve organisational profitability – security procurement is about protecting businesses from the potential costs of security breaches.
As such, security procurement can often seem like somewhat of a guessing game, with organisations struggling to establish a projected ROI on security acquisitions – which in turn can impact their ability to select an appropriate solution in terms of costs.
Whilst forecasting cyber business risks and the associated costs can be difficult, there are several ways to understand the potential ROI of security solutions:
Consider current threats: The easiest way to estimate the ROI of security solution spend, is to weigh up the existing costs of security implications vs the lifecycle costs of new solutions. This could include adding up any existing shrinkage rates or penalties incurred from security breaches.
Regulatory requirements: Aside from costs incurred by security breaches, there are also several security requirements mandated by industry regulators – such as the Information Commissioner’s Officer (ICO). Companies should compile the costs involved with meeting security thresholds, including the costs of ensuring that all devices and employees are compliant. Further to this, companies can weigh up the potential penalties incurred by not upholding security compliance.
Straw polls: Many organisations now assemble bodies of key stakeholders to undertake straw polls on the costs of security breaches across different areas of the organisation. This is an increasingly common method that businesses are using to identify business risks and the coinciding consequences – with each assembled stakeholder able to offer experience and insight into their specific area of the organisation.
Once the potential costs of not procuring new security solutions have been established, business can then use a simple calculation to work out the approximate ROI of different security procurement solutions:
ROI = (Total cost of expected risks – Total cost of solution) / Total cost of solution
Note: The total cost of solution should include the lifecycle costs of the security solution, including cost to purchase, implantation costs, operational costs, and maintenance.
Beyond specific security solution acquisitions, procurement experts now advise organisations to even consider security implications when acquiring suppliers for other activities. Ensuring a diverse range of suppliers is an important aspect of organisational competitiveness in the modern era, however, for every new supplier added into the supply chain, businesses must consider the additional risk this poses to their own materials and customers; potentially providing unsecure suppliers back door access to their own systems and databases.
The UK’s National Cyber Security Centre offers extensive advice for businesses on how to monitor and mitigate risks of supply chain security breaches. They note the importance of including clauses in supplier contracts that necessitate the supplier to provide reports on security performance and require them to uphold any policies and processes necessary to protect data.
Whilst organisation stakeholders all understand the importance of stringent security procedures, it can be difficult to draw a distinction between need and capabilities. It can also be difficult to assess the cost-effectiveness of new IT security solutions, unless companies have a thorough understanding of the potential costs of security lapses or regulatory penalties.
At Athena Commercial, our IT procurement specialists can guide your organisation throughout the security procurement process, understanding what your true requirements are before you make any decisions. Our expertise allows us to assist you when it comes to utilising proper procurement practises that will pay dividend. We can guide you in reviewing your existing technology contracts and what to look for in new ones, so you avoid any automatic price increases, capacity limits, cancellation restrictions and beyond.
Choosing the best vendor for your business can be an overwhelming process. We can help with market research and negotiating price to get you the best deal because we have an extensive knowledge of the market. Once you have decided on your IT requirements and defined the products needed, we can assist with researching appropriate suppliers, contacting them for formal proposals, negotiating your terms and ensuring that penalties are in place if a supplier doesn’t perform. We also offer to oversee the project from start to finish – managing your contracts and leading the transition process to ensure that new systems are delivered on time without supplier disputes.
For further advice or an initial consultation please get in touch at firstname.lastname@example.org.