Cybersecurity in the time of budget cuts
The budgeting cycle in times of economic slowdown impacts all funding for businesses. Budget cuts are often based only on meeting a specific amount, and budget meetings can be emotional with each department wanting to protect their piece of the pie.
But budget reductions can be useful when done based on thought and reason. As Socrates said, “the unexamined life is not worth living”; so too the unexamined budget is not worth a whole lot either.
Should you reduce your Cybersecurity budget?
Before considering reductions to cybersecurity funding, first ask if you’re spending enough to begin with - many organizations are not. Cutting funding or even simply maintaining current funding may put your cybersecurity program at a disadvantage.
When it comes to budget discussions, It’s useful for cybersecurity teams to be prepared with strong arguments for maintaining funding. For example, consider whether you have calculated the Return On Investment (ROI) of cybersecurity in a meaningful way that considers long-term contributions to the organization as well as the usual protection and prevention aspects of Cybersecurity. If the ROI of Cybersecurity activities is not clearly articulated it can be difficult to show value.
A starting point for ROI calculation is to consider any security certifications such as PCI-DSS, ISO27001 and Fedramp. Security certifications can be a requirement to do business with some clients or are a regulatory requirement. Identify revenue that is tied to Cybersecurity certifications and determine whether reducing cyber spending could risk that revenue.
Reducing funding for any program has risks, but this is especially true for cybersecurity. A Cybersecurity breach will almost certainly wipe out any budget savings, but there are also non-financial risks to consider:
Believability of your cybersecurity program: You can’t build a believable cybersecurity program without consistent funding. Cybersecurity programs that come-and-go with each budgeting cycle are not going to be viewed as believable. Employees and managers will realize that the organization is not really serious about cybersecurity if cuts made without reason undermine the consistent operation of the program.
Reputation: It doesn’t take a data breach for clients or customers to determine if your organization protects their data - many organizations will check proactively. Protecting customer data is becoming nearly a fiduciary responsibility.
Due diligence: Should a data breach occur, one of the key factors in proving the organization has met its obligations concerning security is demonstrating consistent funding for cybersecurity.
Reducing Cybersecurity Costs
Despite the arguments in favor of maintaining or increasing cybersecurity funding, sometimes it is necessary to reduce cost. Reducing funding of cybersecurity in times of economic downturn can be done, but it must be done judiciously keeping the critical parts of a cybersecurity program in place.
There are some key activities which can help to identify sensible ways to reduce cybersecurity costs. First, start with an overview of the entire Cybersecurity budget and program to identify possible efficiencies:
Duplicated functions - Does the budget contain funding for security tools that duplicate functions? Eliminate or minimize duplicated functions or overlapping functions. For example, do you have two or more tools used for vulnerability scanning?
Effectiveness of Tools - Are you funding tools that are no longer useful or or no longer needed or that have functions that can be done in a more cost-effective manner? For example, you may have tools that are used for narrowly defined functions, but that are included in security software that has a broader set of functions already built-in.
Administrivia - Carefully review any reporting or administrative activities to identify activities that do not add value or contribute to security. For example, maintaining multiple spreadsheets to provide reports that are not actually useful. Use reporting tools that you already have rather than waste resources on developing pivot tables and graphs.
Efficiency - Identify what can be done to do existing activities more efficiently. For example, are there some economies to be realized by moving some activities into the cloud?
Outsourcing - Are there activities that can be done in a more cost-effective way by outsourcing to a third-party provider? For example, compliance assessments, pen-testing and risk assessments.
Training - Consider whether you can train resources instead of hiring. Technical training can be a cost-effective way to grow your own expert resources rather than searching for experienced and expensive talent. Investing in your own people increases their value to the organization and makes for a more efficient Cybersecurity program.
Once you have considered possible efficiencies for your cybersecurity program, you are ready to discuss more significant reductions to cybersecurity funding using a reasoned approach looking by at the following questions:
1.What is the reason for performing each cybersecurity activity that is being considered for budget cuts?
This cannot be answered without knowing what is valuable to the organization and how Cybersecurity protects those valuable assets.
What are the organizations valuable assets? How does Cybersecurity protect the organization’s valuable assets?
Is the reason for performing the activity still valid? Has justification (e.g. risk) for the activity increased or decreased?
2. Is the Cybersecurity activity that is being considered for funding reduction aligned with a business objective?
For example, is compliance assessment being done to meet a client’s requirements or regulatory requirements? Or is it being done because “we’ve always done this”?
Is the activity in question the result of contractual obligations? If the activity supports a contractual obligation, will funding reduction be considered a breach of contract?
3. What are the risks to the organization of cybersecurity budget cuts?
What risks could the organization be exposed to if funding is reduced?
Does the Cybersecurity activity reduce risk to the organization sufficiently to justify funding?
What cannot be cut?
It can be dangerous to consider these questions for only the current budgeting cycle. Cybersecurity attacks and vulnerabilities are dynamic and a constant threat regardless of what the economy is doing. Criminals do not go away during economic downturns. Indeed, attacks may increase because criminals know that cybersecurity controls may be reduced or enforcement lax due to budget cuts.
Here are some examples of Cybersecurity funding that should never be cut:
Patching and security upgrades - Bad actors are constantly looking for organizations that haven’t applied security patches. Organizations that cut funding for patching and security upgrades are leaving the door open for intruders.
Backup - Never give up funding for backups. A solid backup program is the best hope of quick recovery, should an attack occur. Cutting funding for backups by changing frequency or time-to-fix are the path to ruin.
Training - Security awareness and secure development training should never be reduced. An organization’s first line of defense is always employees who are aware of security threats and know how to protect the organization’s valuable assets.
Analyzing your cybersecurity programme to identify what is critical to fund and what can be reduced or eliminated is difficult, but it can be done with careful, sensible planning. Most importantly, you must always maintain a strong understanding of the value cybersecurity provides to your organization.