Having a comprehensive cybersecurity strategy that results in a cyber resilient organisation can be a challenge with minimal resources. CISOs traditionally haven’t always had the biggest budgets and cybersecurity departments are often underfunded.
A 2022 report revealed that 44% of IT professionals working in SME’s agreed their budget would be cut in the next year. With today’s current market pressures and economic uncertainty, many organisations, particularly smaller ones, need to be profitable while still being able to grow.
This means budgets will be heavily scrutinised, making a CISOs job even harder. But it’s not impossible. By focusing on key considerations and ensuring dollars are being spent effectively, even a small cybersecurity and IT department can make a big impact on managing cybersecurity threats and risks.
We put together this guide on how to maximise your budget and resources for comprehensive cybersecurity.
The cybersecurity talent gap has always posed a challenge for organisations. The demand for cybersecurity talent is simply too large as more and more organisations invest in their risk departments. Earlier this year, the talent shortage for cybersecurity workers tallied up to 3.4M, a new record. This results in a huge talent gap that is only getting bigger.
Even when companies are able to attract talent, turnover rates in cybersecurity departments are high. Employees are often burned out and much of the best talent goes to cybersecurity firms.
The CISOs move: While it might seem advisable to raise salaries in hopes of attracting top-tier cybersecurity talent, it’s a better move to provide training programmes and promote from within. While salaries may remain the same, the recruitment spend will be much lower and you’ll be able to manage the recruiting process with more focus.
You may also want to consider working with cybersecurity partners who can help fill in the talent gaps and amplify your current department’s efforts. This brings us to our next point.
Security leaders can easily fall into the trap of making up for a small team by increasing the number of vendors and security tools. While some tools may help (we’ll discuss how to choose tools in the next section), there are diminishing returns and if you overload your department, you may actually increase your organisational risk and affect departmental performance. This is especially true if you end up using advanced tools that require specific training and knowledge to use. This might end in a tool only being used to half of its potential — not a great use of budget.
More tools often result in more maintenance, alerts, actions, and information. This might lead to data and alert overload, fatigue, and ultimately, burnout. Your existing team will be overwhelmed and they may miss a crucial alert or detail that’s an indicator of compromise (IoC). Having too many tools will result in a slower and less productive team.
The CISO’s move: Talk to your team to get an understanding of what they need and pay attention if they say more tools might affect their performance. Focus on communication, transparency, and build the trust necessary so your team can be honest with you.
If you are in the market for a few tools, our next section will go over how to find the ones that are right for a smaller department (and tighter budgets).
While overwhelming your team with tools can be risky, it doesn’t mean you should forgo them altogether. Instead, you should have key priorities and considerations when assessing tools that can help ensure the money you’re spending can be measured and that it’s making significant impacts on your company’s cyber resilience and proactive efforts.
The CISOs move: When assessing a new vendor, tool, or partner, make sure it helps with one or more of the following:
It’s hard to protect your environment and data if you don’t have a clear view into it. Tools that offer detection and visibility will help you keep track of sensitive data, your assets, systems, and devices and help improve your other cybersecurity initiatives.
ROI can be a tricky thing to measure for cybersecurity leaders but consider this: The average cost of a data breach is $4.35M with much of that cost resulting from investigations, litigation, and costs tied to response and recovery. If you make an investment in tools that reduce your risk of an attack and increase your time to response and recovery, you may be able to quantify the potential money saved.
Consider this as a step to take after you have more visibility into your environment. You’ll now need tools that can detect and respond to potential compromises or attacks. These tools can also alert you to potential risks, misconfigurations, and breach attempts.
To ensure you’re maximising the effectiveness of any new tools, ask yourself - “will this help my security department do their job better?” Does it automate certain tasks that are currently being done in a manual process or are they amplifying your security team’s efforts? Essentially, you’re looking for tools that can save time and/or optimise your team's current security tasks, whether that’s threathunting, security telemetry analysis, or detection and response.
Ultimately, as you're putting together your 2023 budget, your spending needs to be justified in terms of reducing the risk of attack and compromise, managing inadvertent compromises (such as data leaks), and improving response and recovery efforts.
If your organisation does suffer an attack, the longer it goes undetected, the more expensive the attack becomes. A study found that there was an average difference of over $1M for organisations who took more than 200 days to detect and contain a threat compared to an organisation who was able to detect and contain a threat within 200 days.
By focusing on proactive efforts, you’ll be able to make the case for an effective budget and follow-through with a stronger cybersecurity strategy.
To improve your visibility and detection efforts, we recommend considering Metomic. Metomic is a data discovery tool that helps teams have comprehensive visibility into their assets and data across the cloud and through your organisation’s SaaS and software partners.
Metomic can help companies reduce their chances of leaking sensitive data while also being able to detect whether an organisation has been compromised by looking for indicators of compromise.