5 tips for cutting budgets in a crisis without hurting security

Information security has long had the reputation of being unstaffed and underfinanced, and that was before COVID-19. Under the current economic downturn, pressures have become even greater, with research company Pulse reporting on June 4th that 23% of security budgets are currently frozen and that 49% have been reduced.

So when the CEO asks you to cut that already under-resourced budget, where should a CISO start? More specifically, is there a way to make these cuts that can keep them from becoming permanent once the economic downturn is over? CSO connected with consultants, vendors and CISOs for their top tips:

1. Identify overlaps in tech

In the golden triangle of people, process and technology, start by looking at tech — namely, the software the company already has. Leo Taddeo, CISO and president of Cyxtera Federal Group, says, “Look for areas where innovation has created efficiencies.” Since many tech vendors are constantly adding new features, there may be overlaps now that didn’t exist yet at onboarding. Take your current endpoint protection suite for example; Taddeo says it may also provide significant antivirus protection, adding “If a CSO is incurring costs for both, then this is an area for cost savings.”

Work with other departments to see what technology they use. Identifying shadow IT has always been a struggle, so start with known systems, especially ones that are more widely used. Taddeo says, “There may also be capabilities in an existing platform, like Windows 10, that allow a CISO to mitigate risks by simply switching on a security feature.”

Wherever you find it, removing tool redundancy is a cost-savings measure you’ll probably want to keep even after budgets go back to normal. As Greg Touhill, president of zero-trust network access solutions provider Appgate Federal, says, “CSOs should always be looking for opportunities to be more effective, efficient and secure — pandemic or not.”

2. Renegotiate vendor contracts

For the tools your department keeps, try eliminating costs by “re-engaging with your vendors in order to ensure you’re getting the best price possible,” says George Gerchow, CSO of Sumo Logic, an analytics platform. “Right now, every vendor is desperately trying to protect their customer base, so point solutions will have to lower their price to compete with suite solutions,” he says, meaning suite solutions are likely to give a license discount.

Jeff Hausman, general manager of security operations for vendor ServiceNow, recommends teams shift away from perpetual licensing to a subscription model, if they can, to give budgets flexibility.

“Platforms that charge for data usage will have to get creative on charging by data type, and frequency of searches,” says Gerchow.

CEO Mark Orlando at service provider Bionic provides similar counsel: “Scale back on any technology license that is based on data volume or [an]other variable metric. Look for ways to reduce those licensing costs by cutting data feeds that aren’t actionable or have become stale — or at least consolidating and co-terming those support contracts to find overlaps and get temporary payment relief.”

If vendors won’t negotiate, both Hausman and Gerchow recommend transitioning to open source alternatives.

3. Use technology to lower people-related costs

Of the many difficulties associated with having to cut a budget in today’s environment, there may be one positive. Hausman says, “This is a great time to automate the drudgery out of security operations.” All that manual work that takes too much of your team’s time? Well, if your CEO is open to spending a little to save a lot, this may be your change to make the case for buying that automation tool you’ve been wanting. Hausman says, “There’s low-hanging fruit with task automation and process orchestration.”

Hausman recommends CISO’s apply the 80/20 rule, a business theory also known as the Pareto Principle that states 80% of results come from only 20% of efforts. Hausman says to ask, “What are the top five ways your team spends their time?” Do these activities align with company and departmental goals? “Off-the-shelf workflows can safely tackle specific areas such as data collection, prioritization, [and] incident consolidation and remediation assignment,” he explains.

This tip may be especially helpful with implementing zero trust, where Touhill says new innovation in software-defined perimeters, for example, advances strategy “while helping to slash operating costs, as they enable you to retire elderly, manpower-intensive technology such as virtual private network (VPN) and network access control (NAC) systems” — an interesting idea at a time when Pulse data shows VPN’s as this May’s most common “new budget item” for 36% of cybersecurity teams.

Spending of any type may not be what the C-suite wants to see right now, but if the boss is open to creative thinking, try leveraging human resources funding for any open security positions by making the case for software that reduces departmental work. Some tools can be pricy, but is the overall cost to the company more or less than salary plus benefits for a new hire? Plus, this tip may also help you set a precedent for purchasing other wish-list tech when budgets do come back.

4. Be careful with lay-offs

If you’re looking to cut budget, unfortunately layoffs will do it, with June job loss data showing more than 30 million Americans out of work during the pandemic. In cybersecurity, the June Pulse survey shows that 48% of data security teams “reduced headcount because of COVID-19” during April or May and that 40% plan to let people go before November.

Bionic’s Orlando says, “Losing skilled team members will have lasting impacts on team morale and hamper future recruiting efforts, so staff cuts should be a distant last option for security leaders who want to maintain some kind of capability once the crisis passes.” 

At some point, the economic crisis that came with COVID-19 will be over. Making employees work overtime while they deal with health concerns, childcare issues, and the worry they might be laid off next doesn’t foster loyalty. As Touhill points out, personnel, training and licensing costs make up the bulk of most security budgets. Employees who grow to hate you now may very well quit post-COVID-19, increasing personnel and training costs for their replacement hires. Remember, the goal is to find ways to cut the budget now without hurting security in the future.

5. No matter what, remember your goals

Going back to Hausman’s remarks, it’s important at all times for security leaders to keep their goals in focus. In determining today’s or any cuts, Orlando says the general strategy is the same: “Break down the security team charter to a molecular level and decide what you can afford to lose and still get the job done.” At the end of the day, sticking to that single guiding strategy will tell you what should — and should not — be cut.