Management, compliance & auditing

How to make cybersecurity budget cuts without sacrificing security

November 11, 2020 by Susan Morrow

Introduction

2020 has been an incredibly challenging year. Physical and mental health has taken a heavy toll; economies are under threat; and organizational processes and security have been pushed to the limit with home working. The latter issue has seen companies the world over almost overnight have to shift workforces into home offices and take on the challenge of remote security.

All of these changes have been done under the specter of tight budgets brought about by the economic pressures from the COVID-19 pandemic.

A Pulse survey into IT budgets during the pandemic found many budgets were frozen. Now more than six months into the pandemic, 23% of CIOs are finding IT budgets remain frozen, with 49% seeing a decline in funding for IT.

Until the COVID-19 pandemic changed the world, Cybersecurity was seeing increasing budgets. This was because of the very real danger of cyberthreats targeting the modern connected enterprise. Now that IT budgets are stagnant, how can an organization make budget cuts while retaining a robust security posture?

Steering a secure ship with budget cuts

CSO Online, a security industry publication, recently engaged with a number of C-level security officers and vendors to create a series of advisories on how to deal with stagnant IT budgets. From this engagement, several tips on how to remain secure under challenging budget constraints were discussed:

Tip 1: Identify overlaps in tech

During World War II in the UK, there was a saying: “make do and mend.” This was used to encourage people to make the most of what they had and optimize its use. Security professionals agree that an important aspect of balancing a budget with security needs is about making the most of what you already have. 

Security was doing well until the pandemic, with improved budgets to help deal with the cybersecurity crisis. Now, as those budgets are frozen or cut, the IT team and security professionals in an organization need to look at streamlining functionality. This does not mean that you have to remove capability. As the CSO Online article points out, areas such as endpoint security may overlap with other antivirus solutions and there is no point in paying for both. The focus here is to remove redundancy.

Tip 2: Renegotiate vendor contracts

We are all in the same boat at the moment and vendors are in there with us, paddling away. Talk to your vendors: they may have introduced new prices since your last contract. If at all possible, look to a Managed Service Provider (MSSP) for subscription-based models for managed security solutions. The subscription-based model is great for knowing what you pay each month and allows you to budget. 

Also, look for other ways to reduce license costs. Using an MSSP is often a good choice for an SMB; an MSSP can usually get better pricing and packages as they work at scale.

Tip 3: Use technology to lower people-related costs

Automation is a growing trend in security. The technique uses smart technologies based on artificial intelligence such as machine learning (ML). ML is used to automate repetitive security tasks by analyzing massive amounts of security-related data.

An example application of automation is in the area of SecOPs. Automation software is used to perform cyberthreat detection tasks. These automated security detection platforms analyze massive amounts of network traffic data to spot anomalies and security threats. The platforms remove the need for large amounts of onerous manual work but do not remove the need for a security analyst. Instead, the analyst can be used more productively. 

Another example is in the use of zero-trust security models. The use of micro-perimeters is an element of the discipline. Solutions that provide the ability to create software-defined perimeters can also help to remove the need for other technologies.

This tip is also about how to improve efficiency. In a recent survey by Fidelis Security, fewer than 7% of all organizations felt they were using their security stack to its full capability. Automation of repetitive and mass-data related security tasks can help bridge this gap.

Tip 4: Be careful with lay-offs

The skills gap in cybersecurity has meant that organizations have struggled to find the right staff in the past. But now many firms are laying off skilled staff. 

The CSO Online article highlights the June Pulse survey findings on this, showing 48% of data security teams with a “reduced headcount because of COVID-19”. Once you lose staff, it is hard to recover the skill level. It also affects the rest of the team who may be concerned over their own job and feel bad for their redundant colleagues. The decision to lose staff should always be a last resort. It is much better to try and find savings elsewhere.

Tip 5: No matter what, remember your goals

The ultimate takeaway from the CSO Online discussion with the security professionals was this: have a single guiding strategy. You may have to run on empty for a while, but it should not be forever. 

To weather this storm, you will have to think creatively. You don’t have to do this alone. Engage with your staff and in doing so, you will build a stronger team and may well find innovative ideas. Your staff are on the front line; team members may well have already noted that you have overlap in capability or know of a way to reduce budget costs. Riding the wave of coronavirus is a team effort and together, we will find a way through.

 

Sources

IT Budget Evolution During the COVID-19 Crisis, Pulse Content Cloud

5 tips for cutting budgets in a crisis without hurting security, CSO Online

The State of Threat Detection Report 2019, Fidelis Cybersecurity

Posted: November 11, 2020
Articles Author
Susan Morrow
View Profile

Susan has worked in the IT security sector since the early 90s; working across diverse sectors such as file encryption, digital rights management, digital signing, and online identity. Her mantra is that security is about human beings as much as it is about technology. She tweets @avocoidentity