How can security leaders maximize security budgets during a time of budget cuts?
It’s no secret that the current pandemic is causing a major strain on consumers and businesses alike. As the U.S. teeters on the verge of a recession, companies are cutting their spending wherever they can — including in cybersecurity. Gartner estimates that security faces cuts as high as $6.7 billion — an unfortunate outcome, particularly since most organizations are also experiencing an expansion of their attack surface as a result of more people working from home.
In some ways, cuts in security budget aren’t surprising. Security has experienced growing budgets for years, but many security professionals have a hard time explaining to executives and board members what, exactly, they’re getting for the spend. Executives have struggled to understand cyber risk for some time, and in a tough economic environment, security is easier to put on the chopping block if it is perceived as a “tax” on the business.
But while some security programs have become bloated, many don’t necessarily deserve to be cut. Given the gravity of today’s situation, it’s time for security leaders to step in and do what they can to justify spending that bolsters their company’s overall security posture. With the right strategy in place, these leaders can be properly equipped to save their organizations from major monetary losses and damage to their brand reputation.
Speaking the “board member” language
Executives and board members have been known to have their doubts about the ROI of their security investments. Their days are driven by facts and figures — and security performance is too often discussed and evaluated in vague terms (ranging on a scale from low to high) that don’t resonate with leaders.
For senior management to really understand the effectiveness of good security measures, security leaders need to leverage quantitative metrics and share something more concrete to demonstrate the high value a strong security strategy brings. There are many strategic and tactical measurements that security leaders can share with executives and the board that demonstrate the effectiveness of programs and technology deployment. Some common metrics used to demonstrate program effectiveness include tracking number of malware incidents blocked or percentage of phishing emails filtered.
But it’s important to balance your own view with that of an independent third party perspective too. Objective, quantitative metrics like security ratings, for example, can be useful in providing comparative analysis and meaningful correlation to security outcomes. The lower the security rating given to the company, the more likely they are to experience a breach — and the more urgent and important it is to deploy the necessary services to avoid a potential disaster. Furthermore, some security ratings are used frequently in insurance underwriting and customer decision making, affirming the importance of understanding that metric at the senior-most level of the organization.
Using a specific kind of metric, security leaders have a better chance of grabbing the C-suite’s attention. The right data has the ability to prove to decision makers just how important security is.
Enabling the remote workforce
Everyone’s business faces challenges from COVID-19, and companies need to focus on enabling their workforce to succeed. Security must recognize that they play a critical role in helping the business during these challenging times, but they can’t just say “no” to everything.
One challenge that many are dealing with right now is enabling the remote workforce. Companies don’t have many options at this point, so workers must be allowed to access the corporate network in their home offices. But we also know that residential IPs account for more than 90% of all observed malware infections, making it much more risky.
Security professionals can help their businesses by developing capabilities that allow for continuous identification of vulnerabilities and infections on IP addresses associated with remote and home offices. Doing so will allow security teams to discover issues quickly, and more effectively manage higher risk remote operating environments. In other words, they’ll be able to ensure no harm comes to their organization while its employees work remotely.
Enabling business partnerships
Another example of how security can enable the business during these challenging times is through more efficient and effective onboarding of new vendors.
When the shift to work from home began months ago, organizations everywhere sought to onboard new vendors like Zoom. But how were they going to effectively perform risk assessments on organizations in hours or days, rather than the 8-12 week time frame that it typically takes to do a third party cyber risk assessment?
By leveraging data and automation, security leaders can transform their third party risk management programs, rapidly assessing and onboarding vendors to ensure that the business can start working with vendors to help achieve their goals. These efforts can actually be better in identifying risk than the typical qualitative, on-site assessment process, which is usually thought of as a snapshot in time. Security professionals shifting their programs can be more responsive to the business and establish a stronger working relationship during challenging times.
The power of benchmarking
Another way to get the C-suite’s attention? Competitive analysis. By benchmarking a company’s security program against competitors, security teams can highlight areas where their programs are performing in line — or out of line — with peers and competitors. In this day and age, no executive or board member wants to be underperforming their industry; but when it comes to cybersecurity, measuring and benchmarking have always been challenging.
Data and analytics now provide security professionals with the ability to quantitatively and objectively measure their programs across a variety of categories — and many security pros effectively use these benchmarks to highlight areas of investment or justify new spend.
The way forward
Right now, security teams are facing an uphill battle as they work to keep their organizations safe and secure. They’re also facing significant budget challenges. It’s up to security leaders to step in and prove that they can combat the current threats their companies face, but with an eye toward cost-optimization and cost-savings.
Using a combination of the above strategies, security leaders have a better shot at justifying security spending during a time when budgets are being slashed. By focusing on measurement, business enablement (including work from home and vendor onboarding), and competitive benchmarking, security leaders can establish greater credibility across the business, in the C-suite, and in the boardroom.