By Doug Barbin, Chief Growth Officer and Managing Principal at Schellman

C-Suite executives have many variables to consider when they are implementing changes or making investments at an enterprise level. They are reckoning with a fragile economy, downsized teams and heightened inflation rates—putting budgeting and cost concerns top of mind, and rightfully so. However, too often, business leaders get caught up in the everyday consumer mindset of bargain-hunting for products or services that require exceptional accuracy and efficiency. This is none truer than for organizations shopping for a cybersecurity compliance assessment.

The cybersecurity industry itself is facing challenges as well. The adoption of data privacy regulations – from CMMC to GDPR and CCPA, expanding security threats and additional digital footprint complexities have further complicated and increased costs for trusted and secure cybersecurity operations. To further burden decision-makers, cybersecurity insurance premiums are peaking for those who worry about or experience a breach.

While this may entice business leaders to look for affordable cybersecurity assessment auditing programs above all, it’s important to note the average cost of an enterprise data breach was $4.35 million in 2021. So, while cost is an important factor in any business purchase, it should not and cannot be the only factor when conducting a security assessment. Instead, when researching different cybersecurity auditing partners and programs, Chief Information Security Officers (CISOs) should consider return on assessment investment (ROAI).

Understanding ROAI measurements

ROAI measurements leverage a combination of factors, including an auditing firm’s reputation and resources—enabling leaders to take a more strategic approach to decision-making. It also considers the working relationship that an auditing firm will have with a business, accounting for process-related efficiencies and workflow synergies. In essence: it covers the largest impacts of a compliance program, beyond cost.

Assessment firms with enhanced expertise, scale and capabilities of cybersecurity auditing can provide higher quality and level of service with a lower operational cost per report. With ROAI in mind, businesses are encouraged to dig deeper, beyond the dollars and cents, to determine which providers can bring the auditing efficiencies and scope of auditing services needed to remain compliant, mitigate disruptions and help the company save on costs later down the line. Most importantly, the customers that rely upon an organization will better trust them if the organization is wholistically considering its audit partners.

Auditing efficiency and why it’s valuable

Businesses that aren’t considering ROAI tend to gravitate to the low-cost, “easy-button” providers they see pop up in their newsfeeds, inboxes or while scrolling through social media. Unfortunately, those easily recognizable providers that throw massive budgets into marketing campaigns to showcase their savings, aren’t always what they claim to be once a working relationship is established. And, when put into practice, there are unforeseen “costs” to actually working with them. For low-cost cybersecurity auditing firms, this is also true.

Everyone will claim they’re efficient when pitching you, but oftentimes, low-cost audit firms will propose and price their engagements based on a perfect case scenario. They disregard mentioning any add-on fees for additional services or how they support you on an ongoing basis. Once a company signs a contract, they are often at the mercy of the auditor. If the firm decides to enact several rounds of changes to the original, agreed-upon audit contract—a tactic known as “amendment creep”—the company may be subject to price increases and additional licensing audits that cost the business time, resources and productivity, as well as their assurance that they chose the right provider.

An ROAI approach considers the effects of a firm’s auditing efficiency to mitigate contract amendments and business disruptions. Cybersecurity auditing firms offering 5% or less for the number of amendments they can propose to a contract after an agreement is made typically deliver high-quality audits without any of the added costs or headaches. This is because, as uncovered with ROAI, they have the confidence, resources and expertise to customize to customer needs within a certain price range.

Ditching the “bolt-on” cybersecurity assessment

General administrative efficiencies go hand in hand with auditing efficiencies for IT teams. No cybersecurity operation is the same. Thus, auditing programs must possess the flexibility and scalability to adequately integrate into and meet the needs of each business’s unique digital infrastructure.

Low-cost audit firms often lack the agility and resources to adapt to quickly evolving business needs or meet the varying requirements of different regulatory bodies. These firms often use predetermined auditing templates that negate customization to provide a tailored experience for a CISO’s team. These templated auditing programs can also be another way for low-cost cybersecurity firms to charge additional fees for adjustments needed to remediate auditing needs or for implementing processes to solve for inaccurate or imprecise audit results.

When choosing a cybersecurity auditing partner, CISOs must weigh a firm’s agility and ability to provide fast, efficient and personalized auditing programs to adapt to their business’s evolving needs. Additionally, auditing firms that offer highly flexible and scalable assessment programs can often cover auditing requirements for any regulatory agency. This enables companies to implement a cohesive cybersecurity auditing program, partnering with a single assessment firm—reducing the time wasted and complexities of finding and working with multiple firms.

By assessing cybersecurity needs beyond cost, CISOs will discover the administrative value they can find in their cybersecurity assessment, leading to less time spent preparing for an audit; less time spent educating your auditors; less time spent responding to duplicate requests; and less time re-writing reports. This, in turn, streamlines cybersecurity assessment processes, which reduces workloads, eliminates business disruptions and leads to unforeseen cost savings later downstream.

For companies that want to uplevel their cybersecurity compliance programs, the cost cannot be the sole consideration. By making cost a small component of your company’s larger security narrative and using ROAI measurements, CISOs can take a more strategic approach to risk assessment. Choosing a cybersecurity compliance program based on expertise, flexibility and scale ensures IT teams are not only getting the efficiencies and agility necessary to keep up with ever-evolving compliance needs but are also gaining a knowledgeable and trusting auditing partner to help navigate their cybersecurity journey.

About the Author

Considering All Returns on a Cybersecurity Compliance ProgramDoug Barbin is the Chief Growth Officer and Managing Principal at Schellman. Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman’s service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams.

Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor’s degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses in addition to most of the major industry certifications including several he helped create.

Doug Barbin can be reached online at https://www.linkedin.com/in/douglasbarbin/ and at our company website https://www.schellman.com/.

Source: www.cyberdefensemagazine.com