Cybersecurity can be an expensive business.
Around two-thirds of Australian businesses feel their cyber budget is lower than it should be, and the rise of ransomware and increased remote working have put additional pressure on CISOs to do more with less.
These budget constraints have very real consequences. A startling 76% of businesses said they were hit by their lack of cyber preparedness last year. The result? Many CISOs feel like they’re caught in a loop of making repeat visits to an unimpressed board to scrounge up more funds.
There’s no easy solution to this financial pressure. But effective budgeting, automation and smart metrics can help you operate within budgetary constraints and make a compelling business case for future investment.
The key lies in knowing where your organisation currently stands in terms of cybersecurity, and managing the expectations of your stakeholders. To do that, you need a gameplan.
Start by assessing what you have
Individual organisations and industries face different threats, and there are many ways to slice up a security budget. But whatever you do needs to address business requirements first, with clear priorities and a concrete sense of the tools, people and training required to achieve your goals.
Assessing your organisation’s cybersecurity is a crucial step in building a strategy in the first place and – crucially – in ensuring it remains on track. Assets should be inventoried and resources surveyed. Do you have critical functions such as incident response plans, cyber insurance, anti-phishing training and threat monitoring? Do your existing metrics allow you to accurately assess their success?
As you conduct your assessment, it’s vital to drill into how different functions interact with each other and fit into your organisation’s goals. You might need to make some hard decisions about immediate risk and “nice to have” measures. The essence of strategy is sacrifice, and you might need to let go of some functions which, while useful, aren’t vital. An informed, clear-headed assessment can help you determine what your organisation can live without, and where you should be redirecting your spend.
Communicate your needs clearly
These assessments can uncover gaps or overspend. You’ll also be better equipped to make your case to the board if you’re able to map out spending and its effects in terms that board members can relate to. That means constantly reviewing metrics and the data that feeds into them.
Remember, it’s not about what you need or what your team needs. You need to speak in terms of what the business needs, and why. Speaking honestly to the board and listening to their perspective can also help CISOs understand the business’s tolerance for risk, and come up with a solution that aligns with the board’s goals. That way you can find common ground, and ensure cyber is treated as a business partner, not just a cost centre. An evidence-based strategy that shows how spending leads to business outcomes is far more appealing to senior executives than a blunt request for more cash.
For example, explaining the immediate damage a data breach can cause in plain language, and the associated costs of downtime, reputational damage and recovery costs, can help your board understand the financial implications of a poor security posture.
Target key areas for quick wins
Your assessment may indicate specific areas for quick wins, alongside longer-term measures. While your cybersecurity planning should have both short-term and long-term components, budgeting is a different matter. Budgeting more frequently can help you realise and manage savings more effectively. A shorter quarterly budgetary review cycle can focus your efforts more precisely, and allow you to operate more nimbly, than annual reviews.
A big part of your approach to budgeting will depend on whether you favour in-house or outsourced cybersecurity. When evaluating your options, it’s always worth going back to basics: what does effectiveness look like? What’s the most efficient balance of people, partners, systems and tech that can get you there?
Think about access management and the cloud
Updating your organisation’s approach to access management can do wonders for your cybersecurity. An evaluation of identity and access management will likely uncover a sprawl of profiles and passwords that can be streamlined. There may also be a case for investing in cloud infrastructure security. It can be daunting to propose that kind of expenditure, but looking at the total cost of ownership and its benefits may show that it is a sound investment.
Some of the biggest savings can come from out of house. Consolidating suppliers can reduce complexity, and is becoming especially viable as individual vendors increasingly offer suites of complementary products.
Consider your mix of people and automation
Skilled cybersecurity professionals are increasingly in demand, and it can be hard to hold onto existing staff and hire talented new blood. Building a positive company culture can help with both, and keep recruitment costs in check. Employees who know your company and sector that produce great results without hand-holding are an obvious cost saving, and targeted training can aid with retention and help develop the talent you have.
Optimising security orchestration and response (SOAR) and security information and event management (SIEM) can also take some of the burden off the shoulders of your staff. Automating SOAR decisions can make operations smoother, while next-generation SIEM can respond directly to alerts. Tools that simplify stressful tasks make for happy employees – automating tier one analysis will leave staff free to focus on more high-value and sophisticated work.
Mastering the art of cyber budgeting
Budgeting can be a constant headache for CISOs. There’s no magic money tree, but with a little forward planning, you can lighten a lot of the load. Automation, staffing, tangled processes and overcomplex supply networks are all obvious places to start. A comprehensive assessment that leads to a business-aligned strategy can help you identify saving opportunities and communicate them effectively. While every CISO faces cost-cutting pressures in some form, there might be a case for increasing budgets if you can demonstrate the return. This is where talking to people from other departments can give you a lot of insight. For example, having someone from marketing backing you when it comes to better security for customers, can be a big help in discussions with the board.
Cyber budgeting is an art as much as it’s a science, and it takes a lot of trial and error to get the mix just right. But by keeping a whole-of-business perspective and speaking to the board in commercial terms and risk management terms, you help put them in a better place to sign off your requests – and take the next step in keeping your organisation cyber secure.