Getting the most out of your security budget

There may be no more pressing need in today’s online world than quality cybersecurity. With such a limited budget, it’s crucial to prioritize purchases that will give your organization the greatest return on your investment.

green bottle with money inside save message in a bottle
Thinkstock

There may be no more pressing need in today’s online world than quality cybersecurity, making it a top-line item for just about everyone. But even as the need builds, the salaries rise, and the expectations heighten, resources remain scarce.

Security budgets will always be far too finite, so decision makers need to be smart about how and where they allocate, knowing they’ll almost certainly lack financial flexibility.

Once you break it down, that inflexibility goes on full display.

The vast majority of anyone’s security budget will go toward employee salaries, perhaps even close to 60 percent. That’s unavoidable, and likely justified. Your people truly are any company’s biggest investment. After all, it is your staff who’ll be the ones standing between your organization and those who would do it cyber-harm.

For federal agencies, this holds especially true. Demand for IT talent in the private sector often siphons from the public, even as agencies do their best to keep up.

The next 30 percent of a budget will go to operational costs — things like software licensing, data-storage, ongoing contracts, and any other line items you tend to see year over year. Automation could assist in savings when it comes to operations, but operations will almost always occupy a large part of your budget pie regardless.

That leaves companies with a measly 10 percent to spend on new products, initiatives, training, and technology. With such a limited pot, it’s crucial to think through what will give your organization the greatest return on your investment.

Driving the business forward

So, let’s take that 10 percent and maximize it. The no. 1 thing any flexible budget should be going toward is driving your organizations missions forward. At a federal agency, that means advancing the potential to provide better, more efficient civilian services. In the private sector, it could mean driving profit and providing a better experience for your end user.

Obviously, this can take an array of different forms depending on your organization, so it’s difficult to prescribe a one-size-fits-all directive. CSOs need to examine their company’s goals and evaluate how their choices can align to help reach those benchmarks. But as you conduct that audit, it’s worth restating one more time: if you’re not driving your organization’s mission, you’re not doing anything.

Automate and integrate

Cybersecurity isn’t the new kid on the block anymore. We don’t have the luxury of purchasing shiny new technologies and then spending years learning them. The age of experimentation is gone. When you purchase new technologies, it should be with the intention of integrating them with your current ones and supporting the drive towards automation. Everything is moving at a faster, more streamlined clip.

These discussions often circle back to budget, of course. Salaries are expensive and wages are competitive. In truth, any organization may never have the full staff that it needs. Keeping that top of mind, utilizing automation to free up your current workforce’s time and let them refocus their efforts on mission-advancing projects, instead of repetitive or predictable tasks, is essential.

Start by examining your current security stack for holes. Where can your incident response protocol afford to be automated? Are their unnecessary silos between departments that create diluted and time-intensive chains of approval for certain network changes? How can orchestration get those disparate parts working together?

Filling holes like those listed above to streamline the work will give you increased returns as your IT staff regains the freedom to focus on higher-level initiatives.

Finding the right people

It’s a fallacy to think all a hiring manager needs to do is post a job and talent will come calling. In the public sector, that’s evident. There are approximately 15,000 unfilled IT and cybersecurity positions around government right now. The market has become highly competitive in the search for the best and the brightest, and everyone needs to invest in recruiting or risk facing lackluster candidates stepping up to replace the turnover you will inevitably face.

There are plenty of ways to do this at very little cost. In fact, funding growth programs to ensure you continue to have qualified new faces coming through the door has one of the highest returns on investment that you’re likely to find, and it will help you close the skills gap to boot. Consider hosting a networking event or competition that will get talented parties together and talking. Or, consider building a scholarship fund. Even as little as a single year’s tuition will introduce your organization to a range of potential applicants while simultaneously building brand loyalty and trust.

Some people make the mistake of thinking that security is purely a technology problem, and when they have a small budget they jump straight to the newest, hottest software. But budget planning has to be more discrete than that. The amount of movable money left over after wages and operational costs is so marginal that a rigorous examination of what will truly move the needle for your specific company is 100 percent necessary. Once that evaluation is completed, it could very well be software that you need — but make sure it’s tailored to filling the gaps in your posture as well as helping your company move toward automation.

Whatever you decide on, let advancing your companies mission be your guiding light, and it’ll be impossible to go wrong.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.