Hands Off the Security Budget! Find Efficiencies to Reduce Risk
Security budgets will benefit from new priorities, streamlined responses rather than wholesale cost-cutting in light of cyberattacks and increased regulatory requirements.
According to KPMG, 91% of US CEOs believe the US is heading toward a recession. Cost-cutting is already going on at many companies.
CXOs looking for ways to tighten their belts may be forgiven for taking a long look at their security budgets, as Gartner forecasts spending on security technology and services will grow annually at 11% over the next four years. However, if the frequency and cost of ransomware and other cyberattacks don't give them pause, rapidly evolving regulatory and compliance requirements should. As a result, many executives are examining ways to streamline and reprioritize, rather than reduce, their security budgets.
Threats Growing in Frequency and Impact
While the pace of ransomware attacks slowed in 2022, they're back with a vengeance. Chainalysis predicts that ransomware payments could reach almost $900 million in 2023, up 45% year-over-year. And the toll of all breaches keeps rising — Ponemon reports the average breach now costs $4.45 million, an increase of over 15% since 2020.
Yet the true cost of a ransomware attack can far exceed the actual ransom. From downtime to system remediation and reputation damage, breaches can negatively impact companies for years. As a result, rather than cutting security budgets, 51% of organizations plan to increase security investments, especially for incident response planning and testing, employee training, and threat detection and response tools.
Game-Changing Regulatory and Compliance Requirements
The Securities and Exchange Commission's recently announced cybersecurity disclosure and reporting regulations should also serve as a wake-up call for many companies. The new rules require public companies to disclose all material cyber breaches within four days. Further, organizations must publish their cybersecurity risk management, strategy, and governance approaches in their annual reports.
It's not just the SEC that is tightening regulations. Next-generation PCI 4.0 is on the horizon, as is FedRAMP Rev. 5. The business costs for regulatory noncompliance are also becoming more significant, as companies should expect increased fines or sanctions. Worse, heightened levels of transparency and reporting mean that breaches (and a company's response) will be made public and analyzed in detail. Organizations without effective, well-coordinated, and compliant security responses may experience reputation damage, customer loss, and lower stock price valuations.
These regulatory changes suggest increased security spending rather than budget cuts. Organizations will need to revamp processes, toolkits, and reporting protocols to improve cybersecurity threat response and their level of security expertise. According to PwC, many companies are ill-prepared for the transition.
Finding Efficiencies in IT and Security Budgets
As an alternative to reducing security budgets, organizations should pursue opportunities to eliminate inefficiencies and extraneous costs:
Identify duplication and waste. A detailed infrastructure audit can uncover opportunities to reduce or reallocate spending. For example, are there applications that can be retired or hardware assets that can be decommissioned or consolidated? Can maintenance or licensing fees be reduced or renegotiated?
Prioritize for impact. The rapidly changing security landscape means that last year's funded priorities may not deliver the same results in next year's budget. Prioritizing and funding the top issues (and cutting resources for secondary initiatives) can help reallocate security funding for the greatest impact.
Accelerate cloud adoption. Moving to the cloud can lower infrastructure costs, reduce management requirements, and speed applications development and rollout times. Cloud migration can also reduce capital and human resource costs.
Combining the NOC and SOC — a Strategic Shift
Transitioning to the cloud places more emphasis on managing software-as-a-service (SaaS), as opposed to traditional infrastructure. Integrating network operations center (NOC) and security operations center (SOC) functions can optimize resource utilization and lower costs. This integration also promotes enhanced visibility and collaboration and provides a broader context for improved incident analysis.
Consolidating the NOC and SOC is a significant change that can affect reporting, organizational structure, and even company culture. It can deliver considerable financial and operational benefits but requires a strong, top-down commitment from the executive team.
Security Remains a Top Priority
While organizations search for ways to cut costs in an uncertain economy, they also face more frequent and destructive cyberattacks and a rapidly changing regulatory landscape. Finding efficiencies and reprioritizing resources, rather than cutting security budgets, can help companies reduce risks and maintain an effective security infrastructure.
About the Author
You May Also Like