To many CEOs, a company’s IT function appears to be expensive, resulting in it becoming a target for cost-cutting. While there are smart ways to reduce costs in this area, corporate leaders should be aware of the harmful effects that unplanned cost reductions can have to the overall operations and security of the business.
According to Kevin Carpenter, cybersecurity due diligence leader at RSM, there is a misconception that IT and cyber-related areas are easily able to cut budgets. Carpenter makes the point that IT is always evolving, and making too many cuts may result in requiring a bigger budget in the future, once it becomes clear that the company needs to catch up to best-in-class systems.
One item within IT and cybersecurity that is quick to get reduced or cut entirely is penetration testing, which is the hiring of “ethical hackers” to test systems, look for holes and make improvement recommendations. Many companies view pen-testing as nice-to-have but not necessary, but those that cut it typically end up falling behind. Carpenter adds that IT and cybersecurity budgets shouldn’t necessarily be off-limits, but that there should be a thoughtful approach that takes into account the business’s industry and what data it is trying to protect.
Similarly, Lou Brothers, IT due diligence leader at RSM, notes that cost-cutting can be valuable as long as proper homework is done beforehand. Bringing up the example of cost-cutting via offshoring, Brothers notes that it’s important to figure out the offshoring ratio, making sure the headcount is correct, and that the company is doing the right things before making any decisions about right-sizing.
Another idea for cost-cutting has been to move data to a cloud-based service, instead of a physical infrastructure. At first glance this data migration may promise cost savings of; or more, but that is only after the migration has taken place. It’s imperative to make sure enough analysis is done around the costs and potential limitations of making that move.
The amount of business activity taking place online is only continuing to grow, so corporate leaders will need to start viewing IT and cybersecurity as part of the brand itself, as opposed to utilities to support the brand.