5 Ways to Justify Security Investments in the Face of Budget Cuts
Brian Thomas | June 12, 2020
For years cybersecurity spending has experienced stratospheric growth. Then COVID-19 hit and forecasts took a grim turn.
As a result of the economic impact of the pandemic, Gartner estimates there will be a $6.7 billion decrease in global security spending in 2020. Meanwhile, Forrester warns security teams to expect lean budgets and the trimming of already-thin staff, reports Dark Reading.
The truth is, the era of infinite security spending was coming to an end even before the coronavirus struck. In the face of constantly evolving threats and seemingly unstoppable cybersecurity incidents, the C-suite and board have grown increasingly concerned about the ROI of their security investments.
Part of the problem lies in a disconnect between the C-suite and security managers. Executives don’t always fully understand cyber risk and might not comprehend that investment now can prevent cyber attacks in the future. Simultaneously, security leaders are still very technology focused and don’t always align with the business when evaluating how to spend security dollars.
In light of the current slowdown, it’s even more important for security leaders to justify the budgets they need to help drive their businesses forward, securely. Let’s take a look at how this can be achieved.
1. Understand the risk landscape so spend can be prioritized
In order for security leaders to justify their budgets and better align spend to outcomes, they must gain visibility into where the greatest risk exists across the digital ecosystem. To do this, teams must be able to quickly discover, assess, and report on areas of disproportionate risk across their digital assets — on-premise, in the cloud, and across remote office environments. Companies with subsidiaries or operations in multiple geographies can conduct similar analysis across their enterprises to pinpoint where the greatest cyber risk exists.
In this way, they can prioritize security spending and quickly introduce cyber risk reduction programs where they are most needed and will demonstrate the greatest ROI.
2. Use metrics to justify funding
Too often, when reporting to the board, security performance is quantified in terms of a vague scale of high, medium, and low grades, but senior management is likely looking for something more concrete. Therefore, security teams should leverage metrics that have a direct relationship to positive or negative outcomes. It is incumbent on security teams to show that their work has real world outcomes that help the business grow, scale, and increase profitability.
Security ratings, for example, correlate directly to an enhanced risk of data breaches. Independent research found that companies with a BitSight Security Rating of 500 or lower are nearly five times more likely to have a breach than those with a rating of 700 or higher.
Security leaders can use security ratings to justify funds for their security programs. If their ratings drop, due to an increase in unpatched systems or other vulnerabilities, they can link that lapse to an increased likelihood of a breach — and make a case for X amount of dollars to address the problem and improve their security postures.
3. Benchmark security performance to prioritize investments
Decision-making around budget allocation can be further refined by benchmarking a business’ security program against other organizations of similar size or in the same industry. With these insights, security teams can take steps to meet and surpass industry benchmarks by setting achievable security performance improvement goals, allocating limited budgets and resources effectively, and prioritizing security efforts to achieve the highest impact.
4. Uncover risk in the new remote office landscape
Despite budget cuts elsewhere, the exodus from the office to a work-from-home environment will continue to be a significant area of investment for business and security leaders, for good reason. The remote office introduces new and evolving vulnerabilities into the digital ecosystem. In fact, according to BitSight research, residential IPs account for more than 90% of all observed malware infections and compromised systems.
5. Evaluate third-party risk in a cost-effective manner
Third parties, such as vendors and partners, have proven to be a weak link in the security chain. According to a study by Opus and Ponemon, 59% of companies said they have experienced a data breach caused by one of their vendors or third parties. With this in mind, it’s imperative that security budgets are geared towards exposing risk within the supply chain.
With BitSight for Third-Party Risk Management, security teams can gain immediate visibility into cyber risks within a potential vendor’s ecosystem and identify vendors that require greater due diligence — such as those who interact with critical system resources. With these insights, they can reduce onboarding time and costs, and scale processes to assess and monitor all vendors with their current resources — both prior to entering into a business relationship and for the duration of the agreement.
The “new normal” requires a new approach
Security leaders must arrive at a place where they understand where concentration of risk lies — in the cloud; and across geographies, remote office environments, and third-party networks — and communicate that risk in an understandable way to executives and the board. Only then can they make a case for security investments based on the organization’s specific risk exposure and tolerance, and tie those risk reduction investments to greater operational efficiencies and business impact — even after budgets bounce back from this pandemic.
Between difficulty communicating with boards and executives, decreasing budgets, and difficulty measuring how exactly risk was being reduced, security leaders are under pressure to change the way they do things. The situation for security...
Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...
In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional...