Information security has long had the reputation of being unstaffed and underfinanced, and that was before COVID-19. Under the current economic downturn, pressures have become even greater, with research company Pulse reporting on June 4th that 23% of security budgets are currently frozen and that 49% have been reduced.So when the CEO asks you to cut that already under-resourced budget, where should a CISO start? More specifically, is there a way to make these cuts that can keep them from becoming permanent once the economic downturn is over? CSO connected with consultants, vendors and CISOs for their top tips:1. Identify overlaps in techIn the golden triangle of people, process and technology, start by looking at tech -- namely, the software the company already has. Leo Taddeo, CISO and president of Cyxtera Federal Group, says, \u201cLook for areas where innovation has created efficiencies.\u201d Since many tech vendors are constantly adding new features, there may be overlaps now that didn\u2019t exist yet at onboarding. Take your current endpoint protection suite for example; Taddeo says it may also provide significant antivirus protection, adding \u201cIf a CSO is incurring costs for both, then this is an area for cost savings.\u201dWork with other departments to see what technology they use. Identifying shadow IT has always been a struggle, so start with known systems, especially ones that are more widely used. Taddeo says, \u201cThere may also be capabilities in an existing platform, like Windows 10, that allow a CISO to mitigate risks by simply switching on a security feature.\u201dWherever you find it, removing tool redundancy is a cost-savings measure you\u2019ll probably want to keep even after budgets go back to normal. As Greg Touhill, president of zero-trust network access solutions provider Appgate Federal, says, \u201cCSOs should always be looking for opportunities to be more effective, efficient and secure -- pandemic or not.\u201d2. Renegotiate vendor contractsFor the tools your department keeps, try eliminating costs by \u201cre-engaging with your vendors in order to ensure you're getting the best price possible,\u201d says George Gerchow, CSO of Sumo Logic, an analytics platform. \u201cRight now, every vendor is desperately trying to protect their customer base, so point solutions will have to lower their price to compete with suite solutions,\u201d he says, meaning suite solutions are likely to give a license discount.Jeff Hausman, general manager of security operations for vendor ServiceNow, recommends teams shift away from perpetual licensing to a subscription model, if they can, to give budgets flexibility.\u201cPlatforms that charge for data usage will have to get creative on charging by data type, and frequency of searches,\u201d says Gerchow.CEO Mark Orlando at service provider Bionic provides similar counsel: \u201cScale back on any technology license that is based on data volume or [an]other variable metric. Look for ways to reduce those licensing costs by cutting data feeds that aren't actionable or have become stale -- or at least consolidating and co-terming those support contracts to find overlaps and get temporary payment relief.\u201dIf vendors won\u2019t negotiate, both Hausman and Gerchow recommend transitioning to open source alternatives.3. Use technology to lower people-related costsOf the many difficulties associated with having to cut a budget in today\u2019s environment, there may be one positive. Hausman says, \u201cThis is a great time to automate the drudgery out of security operations.\u201d All that manual work that takes too much of your team\u2019s time? Well, if your CEO is open to spending a little to save a lot, this may be your change to make the case for buying that automation tool you\u2019ve been wanting. Hausman says, \u201cThere\u2019s low-hanging fruit with task automation and process orchestration.\u201dHausman recommends CISO\u2019s apply the 80\/20 rule, a business theory also known as the Pareto Principle that states 80% of results come from only 20% of efforts. Hausman says to ask, \u201cWhat are the top five ways your team spends their time?\u201d Do these activities align with company and departmental goals? \u201cOff-the-shelf workflows can safely tackle specific areas such as data collection, prioritization, [and] incident consolidation and remediation assignment,\u201d he explains.This tip may be especially helpful with implementing zero trust, where Touhill says new innovation in software-defined perimeters, for example, advances strategy \u201cwhile helping to slash operating costs, as they enable you to retire elderly, manpower-intensive technology such as virtual private network (VPN) and network access control (NAC) systems\u201d -- an interesting idea at a time when Pulse data shows VPN\u2019s as this May\u2019s most common \u201cnew budget item\u201d for 36% of cybersecurity teams.Spending of any type may not be what the C-suite wants to see right now, but if the boss is open to creative thinking, try leveraging human resources funding for any open security positions by making the case for software that reduces departmental work. Some tools can be pricy, but is the overall cost to the company more or less than salary plus benefits for a new hire? Plus, this tip may also help you set a precedent for purchasing other wish-list tech when budgets do come back.4. Be careful with lay-offsIf you\u2019re looking to cut budget, unfortunately layoffs will do it, with June job loss data showing more than 30 million Americans out of work during the pandemic. In cybersecurity, the June Pulse survey shows that 48% of data security teams \u201creduced headcount because of COVID-19\u201d during April or May and that 40% plan to let people go before November.Bionic\u2019s Orlando says, \u201cLosing skilled team members will have lasting impacts on team morale and hamper future recruiting efforts, so staff cuts should be a distant last option for security leaders who want to maintain some kind of capability once the crisis passes.\u201d\u00a0At some point, the economic crisis that came with COVID-19 will be over. Making employees work overtime while they deal with health concerns, childcare issues, and the worry they might be laid off next doesn\u2019t foster loyalty. As Touhill points out, personnel, training and licensing costs make up the bulk of most security budgets. Employees who grow to hate you now may very well quit post-COVID-19, increasing personnel and training costs for their replacement hires. Remember, the goal is to find ways to cut the budget now without hurting security in the future.5. No matter what, remember your goalsGoing back to Hausman\u2019s remarks, it\u2019s important at all times for security leaders to keep their goals in focus. In determining today\u2019s or any cuts, Orlando says the general strategy is the same: \u201cBreak down the security team charter to a molecular level and decide what you can afford to lose and still get the job done.\u201d At the end of the day, sticking to that single guiding strategy will tell you what should -- and should not -- be cut.