How to Deal With Cybersecurity Budget Cuts

The dreaded edict comes down from above: Due to decreased profits, all departments must reduce costs by 10%, including the cybersecurity team.

As an IT security professional, you know that cutting the cybersecurity budget is a bad idea. But how can you convince the C-suite to do otherwise? In fact, before receiving the directive to reduce the budget, you might have been considering requesting an increase to the budget.

Cybersecurity budget cuts can have a significant impact on organizations. According to a study by research firm Omdia, more than one-third of organizations acknowledge that their cybersecurity posture is affected by budget constraints.

“When I’m talking to CEOs, I often find that they want to do the absolute minimum in terms of cybersecurity to keep their companies out of the headlines, away from lawsuits, and compliant with cyber insurance,” said Bryan Hornung, CEO of Xact IT Solutions, a managed security services provider. “If you’re asking for a new tool designed to stop zero-day vulnerabilities, it is often an uphill battle to convince the CEO to agree.”

Certain situations make it easier than others to present your case. A small percentage of companies are beginning to grasp the connection between budget allocation and comprehensive protection. However, when a company has experienced a significant cyber incident, decision-makers tend to be much more willing to invest in cybersecurity. Yet, spending money on cybersecurity can also foster a false sense of security, noted Maxine Holt, senior director of cybersecurity at Omdia.

Related:Cybersecurity Skills Shortage: How a Focus on DEI Can Help

It also helps to have a CISO or cybersecurity leader who regularly participates in decision-making discussions. Unfortunately, this is not the norm; in many cases, CISOs don’t directly report to CEOs. Most often, they are one level removed from the board or C-suite.

Ciso Quiz Button_0

Making Your Case About Your Cybersecurity Budget

To get your point across, follow these three basic rules: be realistic, do your homework, and speak their language.

Explain technical issues in business terms

Altaz Valani, founder of DevSecOps Mentor, said it’s important to explain potential outcomes if cybersecurity measures are not taken. For example, by highlighting how competitors might gain an advantage or the costs of a breach, you translate technical issues into actionable scenarios with tangible consequences for the business side. “It’s not about pushing an agenda,” Valani said. “It’s about putting it out there and making the business case in a way that offers alternatives.”

Estimate the cost of inaction

You should also outline the cost of simply doing nothing. “Estimate how many clients will be lost and how much reputational damage [your company] might incur,” said Maurice Harari, CEO of The Bid Lab, a proposal consulting firm for small businesses. “People often want to look at cybersecurity as a cost center, but it can be a differentiator, revenue source, and branding opportunity [when] people know you are protecting their data better than your competitors.”

Discuss long-term benefits

In addition, it can be helpful to talk not only about keeping up to date but preparing for the future. Persuade the C-suite to consider the broader context and long-term implications that could affect the organization, Valani said. “Think about something like AI, which has a significant impact on security,” he explained. “It’s something everybody knew was coming down the pipeline, and some organizations have prepared for it by building out capabilities, while others were caught flatfooted.”

Use any leverage you have

Hornung recommended examining your company’s contracts for cybersecurity-related language, which might provide leverage for getting more budget. “If something has changed like a new risk that increases the risk of a breach, use that,” Hornung said.

Highlight regulatory hazards

Another tactic worth trying is to educate decision-makers about forthcoming laws and regulations that could hold CEOs responsible for cyber events. Last year’s FTC decision to hold Drizly CEO James Rellas personally liable for a data breach’s consequences serves as a cautionary example.

“There are laws coming in the next year or two at both the state and federal level, and almost every state has something coming where CEOs are going to be held personally responsible if there is a data breach in their company,” Hornung noted. “It’s going to be a tsunami when it hits, so companies might as well be ready.”

Start the discussion ASAP

As for choosing the right time to request a cybersecurity budget increase or defend the existing budget, there are a few rules of thumb. If the C-Suite requests a cost reduction, it’s time to suit up. Similarly, you must proactively seek a budget increase when the risk of a breach becomes imminent or when a breach's potential damage becomes unacceptably high. Key indicators of a floundering cybersecurity program include operational disruption and customer impact, Hornung said.

Bryan Hornung quote_0

In these situations, increasing the cybersecurity budget isn’t just an option; it’s a necessity. “The risk of permanent damage to the company's reputation and loss of customer trust far outweighs the cost of increased investment in cybersecurity,” Hornung added.

What to Do If Your Proposed Cybersecurity Budget Gets a Strong ‘No’

While not all company boards are made of stone, there are times when minds just can’t be changed. While it’s disappointing, there are steps that cybersecurity groups can take to reduce costs on their own.

1. Evaluate tool inventory and streamline.

It’s an age-old problem: You’re looking to fix the problem of the day, so you buy a tool to do it. Over time, you end up with overlapping tools, or at least tools with overlapping functions.

By identifying synergies among these tools, you can eliminate redundancies, which might add up to serious savings. A comprehensive inventory can also reveal tools that the company no longer uses but still pays for. And when taking your inventory, don’t hesitate to seek an outside perspective. “A lot of these problems were probably created by you,” The Bid Lab’s Harari said. “Having a fresh pair of eyes might be uncomfortable, but it’s a great way to find what you’re looking for.”

2. Take advantage of features in existing tools and subscriptions.

Many SaaS applications offer security features that get overlooked, such as encryption, two-factor authentication, access controls, and more. Checking a box is often all that’s required to turn on those features. Common productivity tools like Google Workspace and Microsoft Office 365 also provide additional layers of security.

3. Outsource cybersecurity functions.

Some resource-intensive security tasks may be more cost-effective when outsourced. In some cases, smaller companies might even consider outsourcing their entire cybersecurity function. You’ll only know if outsourcing makes sense by running the numbers, but it could lead to savings.

4. Negotiate with vendors.

If you’re up against the wall, talk to your existing vendors, especially if you have a long-standing relationship. Vendors often prefer to work with existing customers rather than lose their business. “You only miss 100% of the shots you don’t take,” Harari said. “[Renegotiations] can be worth doing because often initial implementation costs are the most expensive part. If you have already paid for those, vendors can sometimes help you with recurring costs.”

5. Advocate persistently.

Most of all, consistently and firmly advocate for what your company needs.

“Demands are going up faster than budgets, which makes it even more important to continue the conversation with the C-suite about the importance of cybersecurity,” Omdia’s Holt said. “Keep pushing the message about return on security investment and value to the organization.”