How to protect cybersecurity budgets

Market volatility and inflation are forcing companies to slash spending. In uncertain times like these, there’s a tendency toward across-the-board cuts, so every department shares in the pain. But if you plan to include cybersecurity in your cuts, you’re likely putting your company at risk. 

Economic upheaval breeds a natural vulnerability, which only makes hackers more active. According to Kaspersky, the number of attacks has increased by 3 million in the last year. And a Washington Post headline says it all: “Elevated cyber threats are the ‘new normal.’”

For chief information security officers (CISOs) and their organizations, the question is not whether to cut the cybersecurity budget. It’s how much risk they are willing to take. 

Damaged Security Defenses

Due to COVID, the Great Resignation, and the rise in working from home, chances are your organization’s security was already compromised before the latest market turmoil began. Tech workers resigned in droves; there wasn’t enough talent to replace them. And now you’re connected like never before —  with remote work adding doorways to your data. All of this leaves organizations exposed in ways you might never have considered.  

Then come the changing modes of attack. Twenty years ago, hackers were content with low-and-slow breaches. The idea was to stay under the radar with small, barely detectable sorties. Today they’re striking with speed, disabling as many systems as possible or stealing everything they can in mere seconds. The assaults are coming with such frequency — and such a wider arsenal —  that there’s barely time to deconstruct today’s attack before a new method arrives tomorrow. 

Meanwhile, your cybersecurity is likely understaffed. Lay off a few cybersecurity team members included in a larger cut, and you’re placing enormous stress on the available resources needed to respond. 

Think of your defenses in the way you would a murder investigation. You need detectives, forensic investigators, coroners, and lab technicians, each doing their part. A similar cast is needed in cyber response. If you pull out one or two — or cut their budget for tools — the odds of repelling an attack correspondingly decline. 

In real terms, that might mean using an outdated response plan that hasn’t been properly tested and updated. It could mean dated software defenses that no longer meet the times. It may require employees to assume multiple roles, whether they have the expertise or not. The result: You’re slower and more vulnerable. These are the ingredients for an incident that could easily spiral out of control. 

As a result, your security budget is only discretionary if you’re willing to assume the risk. Not just the risk to your data or public reputation. But to your cyber insurance as well. Last year, premiums rose by 92%. Companies are now finding that without the people and systems in place, they can’t get insurance at all. 

How to Reduce Cyber Risk 

The best defense is a layered defense. You have to protect the on-premises data center, cloud, and Software as a Service (SaaS) applications. You have to guard remote employees working on their own islands. Each requires a specialized approach with the people and technology to handle them. 

The shortage of talent is increasingly moving companies to turn to outside firms to fill in gaps. Yet these contracts also make inviting targets for chief financial officer (CFOs) searching for cuts. Take away your providers, and it’s not much different than bringing the knife to your own security department. 

In trying times, there’s also a tendency to turn to large, name-brand providers. The idea is that they’re better suited to weather the storm. Yet this presents another risk that needs to be reckoned. In short: companies should be sure they’re buying the latest expertise, rather than the biggest name. 

If you have to reduce budgets, be cognizant of the risks those cuts produce. Instead of simply protecting a general dollar amount, CISOs need to outline exactly what each expense buys. Let the CFO know the exact amount that is needed to keep an incident response plan current, and the exact amount that is required to fill the holes with outside help. With this kind of specificity, the risks become clearer: some tasks will knowingly be de-prioritized, and some others simply won’t be done. 

It’s the only way to keep a CFO informed, providing them the data to properly assess exposure. After all, no company has unlimited resources for cybersecurity. There will always be risks. The question is how to know, manage and adapt to the risks for your organization. 

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.