How to manage risk and ensure security on a reduced budget?



The business world is feeling the pinch of the global recession, and as companies look for ways to save money, many are cutting security budgets to stabilise their bottom lines.

While streamlining budgets can be necessary, the danger of reduced spending is that companies can become vulnerable to providing a sub-standard service, shrinking their customer base and perhaps most crucially damaging their reputation and leaving themselves open to security risks.

This week's report found that only 49% of organisations currently have enough budget to meet their current cyber security needs. Yet, over 33% of IT and security professionals said that their budgets would remain static or be reduced over the coming year, which is an actual reduction as inflation continues pushing up prices for external services and equipment.

For organisations where risk, governance and controls spending is lower than it may have previously been, it is now vital for risk professionals to look at cost optimisation to ensure that companies remain protected from security risks through effective budget management.

What is cost optimisation?

Simply put, cost optimisation means using the funds available to achieve the most significant impact for the least money spent. However, this can be a tricky balancing act for chief information security officers (CISOs) as some budget line items, such as firewalls and anti-virus software, are essential for compliance regulations.

Often, CISOs have a minimal amount of budget left with which to be creative. Still, anything they can optimise will help, and there are some recommended strategies to help achieve cost optimisation.

Cost optimisation strategies 

In the first instance, it is advisable to have an audit of the current security situation with regard to whether the fundamentals of security systems are up to scratch, as this can save money and reduce risk in the long term. If the right foundations are in place, an organisation will be better positioned to protect against a data breach, be resilient, and make a swifter and more effective recovery if the worst happens. Getting the basics right optimises the budget and can reduce unnecessary spending further down the line.

As well as looking at the structure of systems, it is also worth shopping around for a good deal on the essentials. With increasing cyber security providers entering the market daily, some better deals may be found, freeing up some budget for other use. In addition, as part of the audit process, ensure that longstanding tools and services are fit for purpose as risks evolve. No one wants to pay huge chunks of their security fund for a platform that only performs half the functions you might need as requirements change. Products are only worth the money if they sufficiently reduce the level of risk required. If a gap analysis shows that a service is not value for money, you can negotiate a better deal or seek an alternative, more cost-effective solution.

Equally, CISOs may want to review if systems align with the business's risk tolerance. Spending a budget on complicated cyber security when the company might be comfortable with a slightly higher risk would be money wasted, which could be spent elsewhere.

Finally, prioritising risks is vital. Determine which technology must be paid for first to protect the business and then look for ways to save money in other areas, such as automating or outsourcing certain functions such as password reset.

Beware of false economy

Having the right foundations and the most intelligent technology to match your organisation's risk requirements can go a long way to optimising your budget. However, business leaders should be mindful of making sweeping cuts to workforces or salaries.

While cutting back on staff spending can seem like an excellent way to save money, the benefits can be short-lived and increase risk. Teams with reduced numbers are likely to have to take on a heavier workload meaning that mistakes can be more likely to occur, and therefore the risk of security issues increases. On top of this, professionals working at capacity, potentially with reduced or frozen salaries, are more likely to experience burnout and seek alternative employment. This can cause a retention headache, which can, in turn, increase risk through the loss of experienced talent and increase costs through the need to recruit new staff. This all goes against cost optimisation as it needs to make the 'best' use of the budget available as it only focuses on immediate cost-savings, not overall cost-efficiencies.

Also, when it comes to filling vacancies or building a new team on a tight budget, it is crucial to have the right talent with the full mix of skills and knowledge needed to manage the risks at hand. This can mean hiring for experience rather than en masse, so finding the right individuals can take time and effort. Once again, although there can be cost savings to be made with a blanket advertising approach, in reality, this can create a very lengthy and labour-intensive process which could be a better use of a limited budget and resources. Instead, employing a specialist head-hunting service with dedicated risk and IT recruiters can save companies time and money in the long run, and the right candidate can be found and on-boarded more quickly. 

Overall, managing security on a reduced budget will likely be a significant factor to impact organisations as we move through 2023, with careful cost optimisation, risk professionals may find a safe path through this rough economic patch.

If you are a risk or tech security professional or your company is looking to grow its tech, risk and governance teams, contact McGregor Boyall today and find out how our expert recruiters can help you.