Hands Off the Security Budget! Find Efficiencies to Reduce Risk

Security budgets will benefit from new priorities, streamlined responses rather than wholesale cost-cutting in light of cyberattacks and increased regulatory requirements.

George Gerchow, Chief Security Officer

November 16, 2023

3 Min Read
Blocks spelling out BUDGET sitting on stacks of coins
Source: Tuomas Lehtinen via Alamy Stock Photo

According to KPMG, 91% of US CEOs believe the US is heading toward a recession. Cost-cutting is already going on at many companies.

CXOs looking for ways to tighten their belts may be forgiven for taking a long look at their security budgets, as Gartner forecasts spending on security technology and services will grow annually at 11% over the next four years. However, if the frequency and cost of ransomware and other cyberattacks don't give them pause, rapidly evolving regulatory and compliance requirements should. As a result, many executives are examining ways to streamline and reprioritize, rather than reduce, their security budgets.

Threats Growing in Frequency and Impact

While the pace of ransomware attacks slowed in 2022, they're back with a vengeance. Chainalysis predicts that ransomware payments could reach almost $900 million in 2023, up 45% year-over-year. And the toll of all breaches keeps rising — Ponemon reports the average breach now costs $4.45 million, an increase of over 15% since 2020.

Yet the true cost of a ransomware attack can far exceed the actual ransom. From downtime to system remediation and reputation damage, breaches can negatively impact companies for years. As a result, rather than cutting security budgets, 51% of organizations plan to increase security investments, especially for incident response planning and testing, employee training, and threat detection and response tools.

Game-Changing Regulatory and Compliance Requirements

The Securities and Exchange Commission's recently announced cybersecurity disclosure and reporting regulations should also serve as a wake-up call for many companies. The new rules require public companies to disclose all material cyber breaches within four days. Further, organizations must publish their cybersecurity risk management, strategy, and governance approaches in their annual reports.

It's not just the SEC that is tightening regulations. Next-generation PCI 4.0 is on the horizon, as is FedRAMP Rev. 5. The business costs for regulatory noncompliance are also becoming more significant, as companies should expect increased fines or sanctions. Worse, heightened levels of transparency and reporting mean that breaches (and a company's response) will be made public and analyzed in detail. Organizations without effective, well-coordinated, and compliant security responses may experience reputation damage, customer loss, and lower stock price valuations.

These regulatory changes suggest increased security spending rather than budget cuts. Organizations will need to revamp processes, toolkits, and reporting protocols to improve cybersecurity threat response and their level of security expertise. According to PwC, many companies are ill-prepared for the transition.

Finding Efficiencies in IT and Security Budgets

As an alternative to reducing security budgets, organizations should pursue opportunities to eliminate inefficiencies and extraneous costs:

  • Identify duplication and waste. A detailed infrastructure audit can uncover opportunities to reduce or reallocate spending. For example, are there applications that can be retired or hardware assets that can be decommissioned or consolidated? Can maintenance or licensing fees be reduced or renegotiated?

  • Prioritize for impact. The rapidly changing security landscape means that last year's funded priorities may not deliver the same results in next year's budget. Prioritizing and funding the top issues (and cutting resources for secondary initiatives) can help reallocate security funding for the greatest impact.

  • Accelerate cloud adoption. Moving to the cloud can lower infrastructure costs, reduce management requirements, and speed applications development and rollout times. Cloud migration can also reduce capital and human resource costs.

Combining the NOC and SOC — a Strategic Shift

Transitioning to the cloud places more emphasis on managing software-as-a-service (SaaS), as opposed to traditional infrastructure. Integrating network operations center (NOC) and security operations center (SOC) functions can optimize resource utilization and lower costs. This integration also promotes enhanced visibility and collaboration and provides a broader context for improved incident analysis.

Consolidating the NOC and SOC is a significant change that can affect reporting, organizational structure, and even company culture. It can deliver considerable financial and operational benefits but requires a strong, top-down commitment from the executive team.

Security Remains a Top Priority

While organizations search for ways to cut costs in an uncertain economy, they also face more frequent and destructive cyberattacks and a rapidly changing regulatory landscape. Finding efficiencies and reprioritizing resources, rather than cutting security budgets, can help companies reduce risks and maintain an effective security infrastructure.

About the Author

George Gerchow

Chief Security Officer, Sumo Logic

George Gerchow brings over 20 years of information technology and systems management expertise to the application of IT processes and disciplines. His background includes the security, compliance, and cloud computing disciplines. Gerchow has years of practical experience in building agile security, compliance and purple teams in rapid development organizations. These insights make him a highly regarded speaker on topics including DevSecOps, cloud secure architecture design, virtualization, compliance, configuration management, and operational security and compliance. He has been on the bleeding edge of public cloud security and privacy since being a co-founder of the VMware Center for Policy & Compliance and he is also an active Board Member for several technology start-ups and the co-author of the Center for Internet Security - Quick Start Cloud Infrastructure Benchmark v1.0.0 and the MISTI Fundamentals in Cloud Security. George is a faculty member for IANS - Institute of Applied Network Security- and Cloud Academy.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights