How CISOs Can Stretch IT Security Budgets

The global annual cost of cybercrime is now an eye-watering $6 trillion. To put this into perspective, if cybercrime were a country, it would be the world’s third-largest economy after the US and China.  

The cybercrime landscape has changed dramatically over the last decade. For example, ransomware was 57 times more destructive in 2021 than in 2015. The average cost of data breaches continues to rise every year. Moreover, the COVID-19 pandemic has changed how we work – more people are working remotely and from their own devices. This means cybersecurity teams have less insight into what employees are doing, and as a result, Shadow IT is becoming an even bigger problem.  

But how do chief information security officers (CISOs) navigate this increasingly hostile cyber threat landscape in a world where IT security budgets are tightening? With the US economy on the brink of a recession, cybersecurity budgets are tighter than ever. As a result, CISOs need to do more with less and develop a new and robust IT security strategy. That’s what we’re going to be diving into today.  

Ways to Stretch IT Security Budgets

1. Get More From Your Existing Tools

As the number of data breaches has skyrocketed over recent years, so have the technologies we deploy to stop them. For example, the average small business uses between 15 and 20 IT security tools, while medium-sized companies use 50 to 60, and enterprises use over 130 IT security tools. But how many of these companies are using their cybersecurity tools to their full potential?  

It’s a good idea to evaluate and consolidate your existing cybersecurity tools. For example, you might find that one tool can do everything another tool can do or that you have a significant overlap in functionality across your arsenal. Getting rid of redundant tools not only saves money but also makes it easier to manage your cyber threat landscape. Or in other words, the more tools you have, the higher the probability of misconfigurations, patch management issues, and privileges and password management issues.  

If you’re unsure just how far specific tools can go, you can ask the vendor for free or low-cost training to help fill in the gaps. Moreover, opening a line of discussion with your IT security vendors can also give you valuable information about what tools can offer heightened protection in the future. For example, you might find that one vendor is imminently about to release a new security feature that addresses a critical security concern in your industry.  

2. Choose Automated Tools

Automation has come a long way in cybersecurity, and it’s even more potent today with cutting-edge technologies like artificial intelligence and machine learning. With automation technology, IT security systems can sense, study, and stop cybersecurity threats automatically and before they escalate into a fully-fledged security incident. Today we see automation, AI, and machine learning deployed across security tools, including network security tools like Network Penetration Testing tools, Network Intrusion Detection Systems, and in other areas like vulnerability management, security logging, and Security Information and Event Management (SIEM).  

However, it’s critical to note that most cybersecurity experts don’t recommend leveraging automation to replace staff. Automation can boost efficiency and reduce human errors, but it’s no match for a highly skilled security professional. Essentially, by investing in automation, your existing cybersecurity staff become freed up to work on more complex tasks.  

3. Make Your Case for More Funds

Getting the funds you need to provide effective network security can be challenging. As a CISO, you’re competing with other senior-ranking IT staff for your fair share of the IT budget.  

According to a Deloitte report, around 6% to 14% of the IT budget goes to cybersecurity for the average business. So, if your team is getting significantly less than this, you might want to consider why. Are your budget decision-makers unconvinced of the need for cybersecurity? Do they have doubts about its effectiveness? And what can you do to prove that more upfront investment is substantially cheaper than a costly cyber attack? 

When you go into budget discussions, you must have a good grip on the data and any upcoming concerns in the industry. For example, during COVID-19, we saw a massive spike in ransomware attacks. And today, Crime-as-a-Service (CaaS) tools are dramatically lowering the barrier to entry for would-be hackers. So much of cybersecurity is about anticipating your opponent’s move and being prepared before they strike. This means you have to pay attention to emerging trends just as much as current threats when detailing your cybersecurity budget.  

4. A More Creative Approach to Staffing

Employees will always be a dominant part of your IT security strategy, but they also make up a significant percentage of organizations’ IT security budgets. So, how do you ensure you’re spending your money wisely while getting the IT security skills you need? 

First, you need to set your sights beyond your local area. Skilled cybersecurity professionals are in high demand, but the talent pool is small. Moreover, the cybersecurity skills gap continues to widen every year. In the era of remote working, CISOs have never been in a better position to recruit security workers from different geographical areas.   

And on the point of the cybersecurity skills gap, companies need to be more creative in combating this issue. What do we mean by this? Well, many HR teams have a poor understanding of the skills or qualifications needed to be an effective IT security worker. As a result, they might filter out candidates without specific qualifications despite this being easy to remedy with training.  

You can recruit people with practical skills or look for people with these skills in-house. For example, technical aptitude, problem-solving skills, attention to detail, communication skills, fundamental computer forensics skills, and a desire to learn are crucial skills that often take a back seat to a specific certification in the recruiting process.  

 Additionally, you might find it’s more cost-effective to outsource parts of your cybersecurity function than to build the perfect team in-house.  

Final Thoughts on IT Security Budgets

The consequences of not investing in robust IT security are clear – costly fines, successful data breaches, and hefty reputational losses. CISOs know this, and so do the wider IT function. However, with an economic downturn looking ever more likely, CISOs will have to get more creative with their cybersecurity budgets or risk being left even more vulnerable.