10 ways to get more from your security budget

For years, security budgets seemed to go only one direction: up. As recently as February of this year, some 62% of organizations said they planned to increase their cybersecurity spending for 2020, according research by analyst firm ESG.

But that was then.

Like their C-suite peers, CISOs today are being asked to do more with less – and probably will be for some time, as the world continues in these uncertain economic times.

A survey conducted in April by IDG (CSO’s parent company) found that 35% of IT leaders expect their budgets to decrease as a result of Covid-19 and the related economic downturn, and for 45% of them expense management has become their primary focus.

“You never have enough money, you never have enough people to do the job you need to get done. But the CISO’s job every single day is to reduce risk, so you have to be really smart about how you do things,” says Curt Dalton, a managing director and global leader of the security and privacy practice at the consulting firm Protiviti.

With that in mind, Dalton and several other security leaders offer their ideas on how they and other CISOs can get more out of their security budgets:

Increase automation

Executives throughout the enterprise are turning to robotic process automation (RPA) and other automation technologies to speed processes and add efficiencies. CISOs, too, should embrace automation opportunities, Dalton says, noting that the efficiencies from RPA typically saves CISOs from having to hire people to handle repetitive tasks while enabling them to shift existing staff to higher-value tasks. Automation also helps ease some of the challenges of finding skilled security workers, which further adds financial savings.

Dalton says automating pieces of identity and access management (IAM), which tends to have manually intensive tasks, can yield particularly good returns as can automating incident response.

CISOs are already on their way: Cisco’s 2020 CISO Benchmark Report found that 77% of the responding 2,800 security professionals planned to increase automation in their security ecosystems.

Rebalance teams

Dalton once oversaw a security department where the 15 members of his threat assessment and response team were completely flat out with work, often putting in nights and weekends in addition to their usual workweek schedule. On the other hand, his risk assessment team had several busy periods during the year but had more moderate schedules the rest of the time.

To address the workload imbalance, Dalton cross-trained people from the risk assessment team to take on some of the threat assessment team’s work during those long stretches when the risk assessment team had lighter workloads.

Dalton says many CISOs may find that evaluating and readjusting staffing levels among existing teams can save them from having to hire more people (one of the most costly elements in any organization) while also improving team resiliency and boosting morale through cross-training and upskilling.

Review risk and realign

CISOs have spent a lot of time doing tactical work, but those tactical projects may not be delivering much value when it comes to protecting their organizations against the biggest risks they face, says Kayne McGladrey, a member of the technical professional organization IEEE and former CISO at Pensar Development.

McGladrey recommends security leaders periodically re-assess the risks facing their organizations, identify the biggest ones, and re-align their investments to those risks.

“It’s time to look at the top risks to the business and ask, ‘We can only do three things really well, so are they aligned to our risks or are they aligned to something else?’ It’s a matter of putting money toward what drives the most value as opposed to what looks good,” McGladrey says.

Renegotiate with vendors

With the economy softening, CISOs could find some better buys on the products they use to run their operations — but they have to seek out those deals. “This is really about CISOs looking for opportunities to buy more value at a better price,” McGladrey says.

He recommends that CISOs evaluate the security products in use in their organizations along with the vendors supplying them and determine which are most essential, which provide the best value and which are worth shopping around for better pricing and terms.

“Or maybe you haven’t inked the contract yet, so it might be a good time to ask for lower prices or look at competitors,” he adds. “And if you can look at this and say, ‘We don’t really need it at all,’ then you can cut it.”

Sever the security budget from IT

Nathan Beu, a director in the technology practice at West Monroe Partners, a management consulting firm, has seen security as a carve-out within the larger IT budget in multiple organizations. He says security funding falls second to IT’s needs in those places, leaving the security leader unable to leverage all of his or her dollars effectively because the budget is somewhat precarious.

He and his colleague, David Chaddock, a senior manager in West Monroe Partner’s Chicago-based technology practice, point to a particular case, where a healthcare company’s security spending was part of the larger IT budget under the CIO’s control. IT’s needs generally took precedent, which left the CISO scrambling to get stable funding to bring on the required talent. Instead, the CISO used developers from the IT team to fill in gaps, a situation that Chaddock says “opened up all sorts of vulnerabilities.”

Beu recommends that CISOs lobby for an autonomous security budget to allow them to build reliable multi-year spending plans and projections so they can craft longer-term investments in the people and technology that they feel is appropriate – planning that helps ensure not only they’re getting good contract terms and a skilled team but also boosts their security posture in the process.

Leverage more outside resources

The 2020 State of Cybersecurity report from ISACA, a professional association focused on IT governance, showed that staffing problems persist for most CISOs. The report found that 62% of the 2,000-plus cybersecurity professionals surveyed say their team is understaffed and 57% have unfilled positions.

And, as CISOs know, talent isn’t just hard to find, it’s expensive to hire and keep; ZipRecruiter puts the average annual pay for a cybersecurity professional in the United States as of April 2020 at $100,439 a year.

CISOs looking to maximize their dollars should examine their staffing requirements and determine whether some positions or functions could be outsourced, Beu says. For example, CISOs may find that hiring managed service providers for some highly specialized skills that aren’t needed full time could free up dollars or they could leverage specialized expertise and services from existing vendors as part of contracts already in place.

Train on a shoestring budget

Thomas Johnson, CISO at ServerCentral Turing Group, an AWS cloud consultancy, implemented a security hygiene training program for users at a prior company, a training program he put together for a few hundred collars using his own PowerPoint presentation along with Skype and the Microsoft Stream video-sharing service to distribute the material. Johnson says CISOs should look to in-house experts, particularly their human resources and/or training teams, to provide security training to the organization.

That includes providing training to their own security teams.

“CISOs tend to think that someone outside of security can’t deliver a security training module, but leveraging the training department in your enterprise to its fullest capabilities could offer good results,” Johnson says, adding that using in-house training programs and modules that have already been purchased by the training team keeps security’s training costs in check while also providing a quick and easy way for employees to access educational material.

Maximize existing tools

John Shaffer, who as CIO at the independent investment bank Greenhill also owns the security function, wants to get what he’s paying for.

“The biggest thing is to really test what you already have in place,” Shaffer says. “I do think that people put all these tools in place to check off a box or meet some kind of requirement for a framework or to get through an audit, but how do you really know that they’re working? You have to test them and make sure they’re doing what they say they’re doing.”

To do that, he says he implemented a platform from software maker Randoori to help identify any weaknesses in his security posture “and then hold those vendors’ feet to the fire,” using any subpar performances to negotiate better coverage or contract terms or to find a new vendor that performs better.

“It may lead to you find something that does the same job better or does it cheaper. There’s always more people coming to the market, so you have more leverage to negotiate costs,” he adds.

Move to best-of-suite

For years, security leaders have sought out best-of-breed security tools for the various different functions within their security environment, but Michael Coden, head of the cybersecurity practice at BCG Platinion, a part of Boston Consulting Group, says a best-of-suite approach, where a single purchase can deliver multiple tools, could be a better financial option. Not only could best-of-suite cost less, but CISOs will likely find that they can cut back on staff training time as they only have one tool — not many — to learn. Similarly, CISOs may find they need to commit less staff (and therefore less money) to monitoring and managing a single best-of-suite tool vs. multiple best-of-breed solutions.

Review business-led initiatives for extra security costs

Executives at many organizations, particularly larger ones, often build some of their own department-level capabilities, including their own security tools for pet projects or special initiatives.

That can lead to duplicate security systems within the enterprise, many or all of which were bought under different vendor agreements that quickly ring up costs.

“You see different divisions in a company have different security teams and they’ll all buy tool X, each one perhaps for a different feature. But if they came together, the CISO could negotiate with the vendor for a lower price,” Coden says.

He adds: “Centralizing the acquisition and administration of cybersecurity tools is really important to keep costs [in check].”

Coden says he has seen a similar scenario play out with cloud deployments, with different business units purchasing their own cloud services or SaaS offering with security features and tools built in as part of the purchases. Security teams then end up managing those security tools, adding additional complexity and costs for security teams. Or when those individual business unit cloud purchases involve the same security offering, it might mean duplicate costs.

In all those cases, CISOs could maximize their dollars by reviewing all the department-level purchases and then eliminating duplications and complexities, Coden says, advising CISOs to create standards and frameworks to guide business leaders to avoid those situations and related added costs in the future.