For years, security budgets seemed to go only one direction: up. As recently as February of this year, some 62% of organizations said they planned to increase their cybersecurity spending for 2020, according research by analyst firm ESG.But that was then.Like their C-suite peers, CISOs today are being asked to do more with less \u2013 and probably will be for some time, as the world continues in these uncertain economic times.A survey conducted in April by IDG (CSO's parent company) found that 35% of IT leaders expect their budgets to decrease as a result of Covid-19 and the related economic downturn, and for 45% of them expense management has become their primary focus.\u201cYou never have enough money, you never have enough people to do the job you need to get done. But the CISO\u2019s job every single day is to reduce risk, so you have to be really smart about how you do things,\u201d says Curt Dalton, a managing director and global leader of the security and privacy practice at the consulting firm Protiviti.With that in mind, Dalton and several other security leaders offer their ideas on how they and other CISOs can get more out of their security budgets:Increase automationExecutives throughout the enterprise are turning to robotic process automation (RPA) and other automation technologies to speed processes and add efficiencies. CISOs, too, should embrace automation opportunities, Dalton says, noting that the efficiencies from RPA typically saves CISOs from having to hire people to handle repetitive tasks while enabling them to shift existing staff to higher-value tasks. Automation also helps ease some of the challenges of finding skilled security workers, which further adds financial savings.Dalton says automating pieces of identity and access management (IAM), which tends to have manually intensive tasks, can yield particularly good returns as can automating incident response.CISOs are already on their way: Cisco\u2019s 2020 CISO Benchmark Report found that 77% of the responding 2,800 security professionals planned to increase automation in their security ecosystems.Rebalance teamsDalton once oversaw a security department where the 15 members of his threat assessment and response team were completely flat out with work, often putting in nights and weekends in addition to their usual workweek schedule. On the other hand, his risk assessment team had several busy periods during the year but had more moderate schedules the rest of the time.To address the workload imbalance, Dalton cross-trained people from the risk assessment team to take on some of the threat assessment team\u2019s work during those long stretches when the risk assessment team had lighter workloads.Dalton says many CISOs may find that evaluating and readjusting staffing levels among existing teams can save them from having to hire more people (one of the most costly elements in any organization) while also improving team resiliency and boosting morale through cross-training and upskilling.Review risk and realignCISOs have spent a lot of time doing tactical work, but those tactical projects may not be delivering much value when it comes to protecting their organizations against the biggest risks they face, says Kayne McGladrey, a member of the technical professional organization IEEE and former CISO at Pensar Development.McGladrey recommends security leaders periodically re-assess the risks facing their organizations, identify the biggest ones, and re-align their investments to those risks.\u201cIt\u2019s time to look at the top risks to the business and ask, \u2018We can only do three things really well, so are they aligned to our risks or are they aligned to something else?' It\u2019s a matter of putting money toward what drives the most value as opposed to what looks good,\u201d McGladrey says.Renegotiate with vendorsWith the economy softening, CISOs could find some better buys on the products they use to run their operations \u2014 but they have to seek out those deals. \u201cThis is really about CISOs looking for opportunities to buy more value at a better price,\u201d McGladrey says.He recommends that CISOs evaluate the security products in use in their organizations along with the vendors supplying them and determine which are most essential, which provide the best value and which are worth shopping around for better pricing and terms.\u201cOr maybe you haven\u2019t inked the contract yet, so it might be a good time to ask for lower prices or look at competitors,\u201d he adds. \u201cAnd if you can look at this and say, \u2018We don\u2019t really need it at all,\u2019 then you can cut it.\u201dSever the security budget from ITNathan Beu, a director in the technology practice at West Monroe Partners, a management consulting firm, has seen security as a carve-out within the larger IT budget in multiple organizations. He says security funding falls second to IT\u2019s needs in those places, leaving the security leader unable to leverage all of his or her dollars effectively because the budget is somewhat precarious.He and his colleague, David Chaddock, a senior manager in West Monroe Partner\u2019s Chicago-based technology practice, point to a particular case, where a healthcare company\u2019s security spending was part of the larger IT budget under the CIO\u2019s control. IT\u2019s needs generally took precedent, which left the CISO scrambling to get stable funding to bring on the required talent. Instead, the CISO used developers from the IT team to fill in gaps, a situation that Chaddock says \u201copened up all sorts of vulnerabilities.\u201dBeu recommends that CISOs lobby for an autonomous security budget to allow them to build reliable multi-year spending plans and projections so they can craft longer-term investments in the people and technology that they feel is appropriate \u2013 planning that helps ensure not only they\u2019re getting good contract terms and a skilled team but also boosts their security posture in the process.Leverage more outside resourcesThe 2020 State of Cybersecurity report from ISACA, a professional association focused on IT governance, showed that staffing problems persist for most CISOs. The report found that 62% of the 2,000-plus cybersecurity professionals surveyed say their team is understaffed and 57% have unfilled positions.And, as CISOs know, talent isn\u2019t just hard to find, it\u2019s expensive to hire and keep; ZipRecruiter puts the average annual pay for a cybersecurity professional in the United States as of April 2020 at $100,439 a year.CISOs looking to maximize their dollars should examine their staffing requirements and determine whether some positions or functions could be outsourced, Beu says. For example, CISOs may find that hiring managed service providers for some highly specialized skills that aren\u2019t needed full time could free up dollars or they could leverage specialized expertise and services from existing vendors as part of contracts already in place.Train on a shoestring budgetThomas Johnson, CISO at ServerCentral Turing Group, an AWS cloud consultancy, implemented a security hygiene training program for users at a prior company, a training program he put together for a few hundred collars using his own PowerPoint presentation along with Skype and the Microsoft Stream video-sharing service to distribute the material. Johnson says CISOs should look to in-house experts, particularly their human resources and\/or training teams, to provide security training to the organization.That includes providing training to their own security teams.\u201cCISOs tend to think that someone outside of security can\u2019t deliver a security training module, but leveraging the training department in your enterprise to its fullest capabilities could offer good results,\u201d Johnson says, adding that using in-house training programs and modules that have already been purchased by the training team keeps security\u2019s training costs in check while also providing a quick and easy way for employees to access educational material.Maximize existing toolsJohn Shaffer, who as CIO at the independent investment bank Greenhill also owns the security function, wants to get what he\u2019s paying for.\u201cThe biggest thing is to really test what you already have in place,\u201d Shaffer says. \u201cI do think that people put all these tools in place to check off a box or meet some kind of requirement for a framework or to get through an audit, but how do you really know that they\u2019re working? You have to test them and make sure they\u2019re doing what they say they\u2019re doing.\u201dTo do that, he says he implemented a platform from software maker Randoori to help identify any weaknesses in his security posture \u201cand then hold those vendors\u2019 feet to the fire,\u201d using any subpar performances to negotiate better coverage or contract terms or to find a new vendor that performs better.\u201cIt may lead to you find something that does the same job better or does it cheaper. There\u2019s always more people coming to the market, so you have more leverage to negotiate costs,\u201d he adds.Move to best-of-suiteFor years, security leaders have sought out best-of-breed security tools for the various different functions within their security environment, but Michael Coden, head of the cybersecurity practice at BCG Platinion, a part of Boston Consulting Group, says a best-of-suite approach, where a single purchase can deliver multiple tools, could be a better financial option. Not only could best-of-suite cost less, but CISOs will likely find that they can cut back on staff training time as they only have one tool \u2014 not many \u2014 to learn. Similarly, CISOs may find they need to commit less staff (and therefore less money) to monitoring and managing a single best-of-suite tool vs. multiple best-of-breed solutions.Review business-led initiatives for extra security costsExecutives at many organizations, particularly larger ones, often build some of their own department-level capabilities, including their own security tools for pet projects or special initiatives.That can lead to duplicate security systems within the enterprise, many or all of which were bought under different vendor agreements that quickly ring up costs.\u201cYou see different divisions in a company have different security teams and they\u2019ll all buy tool X, each one perhaps for a different feature. But if they came together, the CISO could negotiate with the vendor for a lower price,\u201d Coden says.He adds: \u201cCentralizing the acquisition and administration of cybersecurity tools is really important to keep costs [in check].\u201dCoden says he has seen a similar scenario play out with cloud deployments, with different business units purchasing their own cloud services or SaaS offering with security features and tools built in as part of the purchases. Security teams then end up managing those security tools, adding additional complexity and costs for security teams. Or when those individual business unit cloud purchases involve the same security offering, it might mean duplicate costs.In all those cases, CISOs could maximize their dollars by reviewing all the department-level purchases and then eliminating duplications and complexities, Coden says, advising CISOs to create standards and frameworks to guide business leaders to avoid those situations and related added costs in the future.