Four Steps to Cutting Cybersecurity Budgets Without Increasing Risk – Source: securityboulevard.com

The projected total cost of cybercrime for 2023 is estimated to be a staggering $8 trillion. This explains why businesses in all sectors worldwide have increasingly been preoccupied with cybersecurity. Add in remote work, zero-trust and cloud and the boom in enterprise cybersecurity budgets shows no sign of slowing; cybersecurity spending will cross the $260 billion threshold by 2026.

This budget growth is not an inherently bad thing, but in a time of economic uncertainty and layoffs, there is a growing sensitivity to capital efficiency across the board. The C-suite would love the chance to reevaluate cybersecurity stacks and (especially) staffing, which makes up the lion’s share of cybersecurity budgets.

The problem is, it’s hard to touch cybersecurity. Today, more than ever, nobody in any large organization wants to be the person that cuts cybersecurity staffing, budgets, tools—or even the break room coffee allocation—five minutes before a major breach. It’s just not a career-advancing move.

What’s more, most enterprise executives are still challenged to fully grasp the intricacies of cybersecurity tasking, technology and roles. It’s a highly technical area, populated by highly technical people. And the technology-business interface is notoriously opaque. All this makes it hard for C-level execs to understand what goes on in security teams—making it doubly hard to even consider cutting.

Yet unchecked budgets lead to unchecked growth which leads to bloat. Too many cybersecurity leaders are measuring success based on headcount and are as concerned with building up their department as they are with building security. What’s more, too many solutions are leaving cybersecurity workforces with too much data and too few insights. The average global organization uses multiple monitoring solutions, lured by new “innovative” tools or new categories of cybersecurity which can make it confusing to determine what is actually needed. Many times, more than half of adopted tools go unused leading to “tool sprawl” with a tangled, inefficient web of overlapping cybersecurity products.

Clearly, it’s time for management to find a way to bring capital efficiency to cybersecurity. But how do you look at security through a capital efficiency lens? And how do you do it without unacceptably growing risk—to your organization and (frankly) to your own job?

Four Steps to Consider When Cutting Security without Increasing Risk

1. Demand security stack rationalization

Security stack rationalization establishes an ongoing, flexible framework that lets security teams baseline the current level of security, understand at a very granular level whether security needs are being met, roadmap how those needs may change, track changes over time and then identify and implement the best solution for each. While this may sound intuitive, it’s not. The tool sprawl discussed above has made it challenging for even CISOs to get a true picture of actual security posture. However, today, there are tools designed to do just this. Consider adopting one.

2. Demand clear and coherent security deliverables 

It’s time that the C-suite internalizes that the absence of breaches, ransomware attacks or downtime is not the only deliverable. Stack rationalization is a good starting point, but security leaders need to get used to delivering ongoing, comprehensive, easy-to-understand reporting that helps decision-makers understand the alignment of security with business goals. It is imperative that CISOs are held to account for cost compared to potential benefit. Some tools and solutions simply do not offer enough tangible benefits, as flashy as they might appear.

3. Internalize that building up security divisions aren’t necessary 

Headcount does not equal security. Capital efficiency demands rethinking how security headcount is allotted. For example, if you can hire a professional, highly-recommended service company that does just penetration testing for multiple enterprise clients–do you really need an in-house pentesting team? Is the price difference worth the risk differential? Do we really need to have our own internal red, blue and purple teams? Or are we in-housing what we should be outsourcing because “bigger is better”?

4. Rethink your risk appetite 

The more executives are involved in security, the more they are able to play an active role in risk management. Risks are constantly evolving, and organizational risk appetite should evolve, too. What was once considered a risk worthy of mitigation investment may no longer be so. Is the cost of investigation really justified? For example, should we be following up and investigating every intelligence lead, every failed malicious action and every potential external scan?

The Final Word

As a cybersecurity professional, I can say with certainty that constant investment in strong security teams is absolutely crucial to business continuity. I can also say that no functional group in any organization should be above fiscal scrutiny and accountability–especially during an economic downturn. We must ask ourselves, are we doing this because we must? Is there no better and more efficient manner to achieve what we really want, or are we growing our security just for the sake of growth?