With recession looming in the UK, businesses face the prospect of cutting back in several areas to ensure survival. Nothing is off the table and, unfortunately, this can also mean reducing budgets for cyber security.
Amid rising costs and efforts to keep energy bills under control, businesses might need to be creative and seek savings from areas such as cloud computing expenditure and even cyber security. The latter, however, might seem a dangerous prospect, given the rising spectre of cyber threats like ransomware.
Two-thirds (67%) of small and medium-sized businesses (SMBs) spend less than $50,000 annually on cyber security, with 57% fearing inflation will lead to a change in plans, resulting in budget cuts, according to OpenText Security.
This anxiety comes despite a recent surge in cyber attacks, highlighting the need for properly funded cyber security strategy. In fact, it poses the very pertinent question of how can organisations possibly maintain the same level of protection while aiming to slash budgets.
The guiding principles for reducing costs
One does not take a knife to cyber security budgets lightly; there needs to be a handful of guiding principles to ensure basic standards are maintained while the risks are mitigated.
CTO at Global Rubrik MSP Assured Data Protection, Stew Parkin, tells IT Pro one of the things he has witnessed is customers starting to consider reducing the overlap of features and functionalities included within the products they’re buying.
“Companies are often rushed to market to buy as much as they can to fit a specific gap,” he says. “However, these gaps can now be filled by a single or a reduced list of vendors or products. Cost efficiencies are often to be found by the consolidation of licences, but also by the consolidation of skills within the internal teams and security operations centres (SOCs).”
However, Leigh McMullen, distinguished VP Analyst at research firm Gartner, says that he doesn’t see costs going down and the foremost mission for the CISO and cyber security team is to defend the value proposition of the enterprise. “Heretofore that’s been a game whose only possible scores are zero – you don’t suffer an incident – or negative one – you do,” McMullen says. “Instead, leading thinkers are focusing much more on resilience. While no CISO can offer “perfect protection” they can offer increasing levels of resilience and recoverability of the value proposition.”
First steps to reducing cyber security budgets
One of the first priorities for a business when cutting cyber security costs is to try to understand the scope of systems and assets the business is trying to protect. Then, comes assessing the level of risk to those systems, says Martin Walsham, director of Cyber Security at cyber security consultancy AMR CyberSecurity.
“When a business has an understanding of these, it’s then in a good position to look at priorities in terms of budget and effort to manage the highest levels of risk within their organisation,” he says.
He adds there are some key considerations as to when a business should also assess where and how it’s spending the budget, to ensure it’s being spent wisely. There are a number of questions, amounting to a checklist of sorts, businesses should be asking of themselves, largely spanning the very basics.
Building a better password strategy for your business
Exploring the strategies and exploits that hackers are using to circumvent password security measures
Spending large amounts of money on state-of-the-art tools, like AI-powered cyber security software, for instance, makes no sense if an organisation isn’t patching and controlling its configuration, says Walsham. Businesses should also ask themselves if it’s possible to build security into contracts for outsourced services. “This avoids an additional layer of internal costs and ensures third-party contracts are appropriately managed,” he says.
Another issue to consider is if the services and tools the organisation uses represents value for money. Walsham says this may seem simple, but it’s remarkable how many organisations fail to evaluate properly.
Benchmarking against well-performing peers is also important, meanwhile, according to Brian Martin, head of product, strategy, and innovation at cyber security consultancy Integrity360. “We know that benchmarking is crucial to successful security budget allocation. So, once done correctly and analysed, CISOs can then revisit and begin to decide on where they can afford to cut spending, armed with the full picture,” he says.
Which cyber security costs can be saved?
Cutting cyber security costs can be an opportunity to simplify things. Over time, an organisation’s security framework can morph into a complex web of disparate products, according to Mike Fry, security practice director for Logicalis UK&I. Each of these products will have its own costs, suppliers and IT management overhead.
“By taking a strategic approach and working with key vendors with wide capabilities, this can be rationalised down to improve efficiency, reduce IT burden and cut costs,” he says. “In some cases, businesses can reduce their costs by up to 50%.”
Brian Martin adds that, unfortunately, there's no definite figure that can be given for the savings that can be made, as it simply depends on the starting point for any given organisation, their strategy, and their risk appetite.
“However, it’s well understood, for example, that buying a SOC service, or a managed detection and response (MDR) service can cost less than half the amount as compared to building and staffing it in-house,” he counters. ”Vendor negotiations, bundling, and longer-term contracts can often deliver annual savings of more than 10%.”
Don’t compromise on overall protection
Businesses need to get the basics right and upgrade their 360-degree resilience. Organisations are recommended to avoid the ‘lock the door and leave the window open’ approach, which compromises on basic security infrastructure and moulds organisational needs together, says Nehal Thakore, country head UKI at Bosch CyberCompare.
“To create a holistic cyber security strategy, businesses can implement the National Institute of Standards and Technology (NIST) framework,” Thakore says. Based on five key pillars – identify, protect, detect, respond, and recover – the NIST framework helps businesses of all sizes better understand, manage and reduce cyber security risk while maintaining the protection of networks and data, he adds.
“Businesses can better decide the prime areas to invest time and money for cyber security protection,” Thakore continues. “Regular cyber security awareness measures and training for employees is a significant way to ensure overall protection.”
Martin adds, to ensure overall protection, a healthy balance of investment in human involvement and automation is crucial. “This needs to be underpinned with a very clear security strategy and alignment to a security framework which will provide guidance as to what are the essential controls are that cannot be compromised upon."
