A declining economic outlook has security leaders looking to do more with less. Here’s how to boost cybersecurity productivity without sacrificing security.
- The uncertain economy is putting pressure on CISOs to do more with less.
- Initiatives should be prioritized based on their potential to deter major financial and operational risks.
- CISOs seeking to contain or cut costs can take a number of actions, such as reassessing risks, consolidating vendors, and maximizing existing investments in technology and awareness training.
At one point or another in their tenures, most CISOs will confront a period where they’re being asked to spend less — or at least not spend more. This can be related to something going on at the company, like a slowdown of revenues, a management change or a need to shift investments to other priorities.
But there are also times when the pullback on cybersecurity budgets is universal, and every CISO is affected. We’re in one of those periods now because of economic uncertainty in the form of lingering inflation, ongoing supply-chain disruptions that may be caused by trickle-down inflation or inflationary concerns, and genuine concerns about a coming recession.
Almost three-quarters of CISOs responding to a recent survey said the declining economic outlook has affected how their organizations approach cybersecurity. The same survey found that the proportion of CIOs and CISOs who say cybersecurity issues are important to their organizations has doubled over the last two years.
For CISOs, there’s obviously a tension between the growing strategic importance of cybersecurity and their own potentially static or declining budgets, as well as the overall strategy of the business. It’s a dilemma which will require CISOs to summon their resourcefulness and ingenuity — and optimize their existing and future investments — to do more with less. Smart security leaders are getting out in front of the issue to ensure they not only maintain their cybersecurity postures, but also the trust they’ve built with their C-suites and boards. As one Mimecast customer, the CISO of a well-known shoe brand, recently explained: now is the time for security leaders to step up with ideas for cost efficiencies that won’t sacrifice security.
The First Imperative: Be Open About What’s Happening
Communication is essential for CISOs during periods of uncertainty and tighter cybersecurity spending. You want your immediate reports to understand what’s going on as quickly as possible.
If previously planned investments, such as the addition of staff or a technology upgrade, must be put off, it can affect morale. Explaining the reason for these delays increases trust. What’s more, your team may have valuable ideas for cost optimization.
5 Steps to Consider
There are quite a few ways to get more out of a cybersecurity budget. Here are five steps that any security leader can consider:
- Fine-Tune Your Cybersecurity Priorities: Every CISO goes into a new budget period with a clear cybersecurity agenda, often worked out in conjunction with input from the CIO, CFO, and board. A good guiding principle for your down-cycle cybersecurity planning is to focus on de-risking core business outcomes. The things atop your list should all deter a major financial or operational risk. If there are things on your list that, from today’s economic vantage point, look like luxuries or are no longer relevant, remove them. This exercise will give you the basis for tactical decisions later on.
- Make the Most of Existing Technology Investments: Many companies don’t use their cybersecurity tools to their fullest. In an uncertain economy, it makes sense to maximize existing investments. There may be cases where one cybersecurity tool could replace two or free up cybersecurity staff to take on other work. In addition, integrating solutions can actually drive better outcomes, including higher productivity and lower MTTD and MMTR. Take advantage of vendor consultation and education options to better understand and leverage the capabilities you’ve already got. In addition, integrating tools can not only lead to cost savings, but also better threat intelligence and bi-directional feeds and actions. Mimecast, for example, maintains a substantial number of educational videos that customers can use to maximize the value of their products.
- Restructure and Consolidate Vendor Relationships: Having multiple vendors isn’t necessarily a bad practice. In fact, no single vendor solution can solve all of an organization’s cybersecurity needs. But managing dozens of point solutions can be a drain on cybersecurity staff and there may be unnecessary overlap. Security leaders should look for opportunities to find the right balance between consolidation and renegotiating solution costs ̶ the consolidation sweet spot. Those taking a longer-term view will want to consider a cybersecurity integration strategy, seeking out cybersecurity tools that easily integrate with products they already have or plan to acquire in the future.
- Reconsider Your Cyber Sourcing: There may be some aspects of your cybersecurity work currently handled by third parties that you could do better or more cheaply yourself. Alternately, there may be some tasks or functions that a managed service provider may be better suited to handle — at either higher quality, lower cost, or both. As organizations recognize the need to downsize and/or deploy better cybersecurity expertise, they generally tend to look into an MSP or MSSP.
- Enlist Your Whole Company Into the Effort: It may be tempting to cut back on cyber awareness training. However, given that most cyberattacks result from all-too-trusting end-users, that would be a mistake. It’s more important than ever to fortify your end-users with some sort of awareness training. But chances are, you could be doing a better job at it — and without a significant increase in cost. An effective program should change behaviors. There are many key performance indictors (KPIs) that organizations can implement to make sure their cybersecurity awareness training programs are reaching the right employees and having the intended impact — many of which may be included in their vendor’s training dashboard. Security leaders who want to get more bang for their training buck should track these KPIs. There are also some low- and no-cost ways to supplement your formal training program, like signs on office walls or stickers that employees can affix to their laptops.
The Bottom Line
After years of double-digit budget increases, prudent security leaders are exploring ways to reduce or maintain their spending while preserving strong cybersecurity postures for their organizations. Opportunities for belt tightening abound, including reassessing risk postures and priorities, consolidating and renegotiating with vendors, and maximizing existing investments. Effective cybersecurity integration is another way to expand protections while maintaining budgets. Read more about Mimecast’s ecosystem of partners and APIs.