Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Lean and Mean: Cutting Cybersecurity Costs Without Cutting Corners

Published 09/16/2024

Lean and Mean: Cutting Cybersecurity Costs Without Cutting Corners

Originally published by CXO REvolutionaries.

Written by Rob Sloan, VP, Cybersecurity Advocacy, Zscaler.


Deciding on the appropriate amount of funding for information security in the upcoming year is a tricky task. Despite gross domestic product rising, low unemployment, and falling inflation, there are still concerns about a broader economic slowdown. Chief information security officers must find the most effective approach to balancing the competing demands of strong cybersecurity and limited budgets.

Survey data from IANS Research showed 67% of 2024 budgets were set to increase, albeit by smaller margins than in previous years. Retail and tech companies were most likely to experience budget declines. Spending on cybersecurity cannot increase forever though, and a strategic approach to cost-cutting is crucial to avoid compromising the organization's security posture.

There are essentially two strategies CISOs can pursue to cut costs, which can be undertaken independently or in parallel: run leaner operations and optimize the security investments already made; and/or delay or abandon investments in new technologies.


Optimizing existing operations

The first approach assumes the existing security stack has grown quickly and capability overlap occurs; by thoroughly reviewing the tools available to the team and underutilized features, there is potential to get rid of individual point solutions or reduce the number of product licenses.

Consolidating vendors and embracing platform-based approaches means streamlined operations, reduced licensing costs, and simplified security infrastructure.

Ideally, this exercise should be conducted annually to avoid unnecessary costs, however, it may not produce significant savings and may not reduce the number of vendors a CISO must deal with. The logical next step to explore is vendor consolidation.

Many organizations accumulate a sprawling array of cybersecurity tools from various vendors over time. By consolidating and embracing platform-based approaches, CISOs can streamline their operations, reduce licensing costs, and simplify the management of their security infrastructure. Reducing the total number of vendors also saves CISOs precious time as the total number of relationships they need to maintain decreases.

Some savings may also be found by outsourcing specific functions, such as security operations, vulnerability management or compliance support, to managed security service providers (MSSPs). In a tight labor market, leveraging MSSPs can be a cost-effective alternative to in-house staffing, and is especially useful for companies that struggle to access cyber talent due to location or the ability to offer competitive salaries. MSSPs allow organizations to access specialized expertise without the overhead of additional hires.


Short-term investment for a long-term gain

Businesses must also consider upfront investments to make greater savings in the longer term. Implementing artificial intelligence and automating routine security team tasks will require short-term spending, but can play a significant role in driving efficiencies.

Zero trust shrinks the attack surface and allows an organization to remove legacy firewalls and VPNs, bringing benefits beyond cost savings.

The security operations center (SOC) is where AI and security automation are often most effective due to the amount of data that must be processed and the often-repetitive nature of the tasks analysts are asked to perform. AI can more efficiently sort through masses of data to find patterns and indicators of attacks that humans could never find manually, then enrich the alerts and prioritize them. For some types of alert, automated actions could be taken that allow analysts to focus on those issues needing a more nuanced response.


Savings potential from zero trust

Similarly, implementing a zero trust security model, which treats every access request as untrusted and requires strict authentication, can contribute to substantial savings. A zero trust architecture allows an organization to remove legacy firewalls and VPNs, and cuts public cloud transit costs; it offers gains in operational efficiency and reduces the time needed to manage security; and can enhance productivity from direct-to-app connectivity.

Zero trust also shrinks the attack surface, which lessens the likelihood of a breach. Should a breach occur, zero trust prevents attackers from moving laterally within a network, which reduces the possibility of damaging incidents such as ransomware. In addition to avoiding the costs and disruption of an attack, the business can also access favorable terms when buying cyber insurance, an area where costs have rocketed over the past three years.

A focus on maximizing the most effective deployment of existing capabilities should lead a CISO towards a careful examination of the return on investment of cybersecurity initiatives. At a time of budget scrutiny, articulating the business impact of security measures in terms of risk reduction, cost savings from preventing security incidents, and alignment with regulatory compliance is paramount. More importantly, communicating to the chief executive, chief financial officer and board in business risk terms means a greater likelihood of engagement and support.

Deploying funds more effectively and with more agility up-levels every security game.


Delaying new spend

The second approach that technology leaders can take is to defer or cancel non-critical cybersecurity investments. However, this path requires collaboration and open communication with management and the board.

CISOs must clearly set out the potential risks associated with delaying specific security measures to enable informed decision-making about acceptable risk levels. How have existing risks changed? Does the organization now face new risks? Is the organization still able to defend itself from the most likely attacks? Will the decisions result in disruption to any strategic initiatives?

When deferring investments, it's crucial to prioritize based on the organization's risk appetite and the potential business impact. CISOs should focus on addressing the most pressing cybersecurity threats and risks, while postponing investments in areas that may have a lower impact on the organization's overall security posture or strategic business plans.

According to Sam Curry, Zscaler’s CISO in Residence, cyber is as much a business function as any other. “It starts with aligning to business drivers, optimizing spend and leading change,” he said. “Deploying funds more effectively and with more agility up-levels every security game.”

Curry believes some CISOs are more adept than others at cost-cutting: “As with most disciplines, we need the peacetime, incremental managers,” he said, “but the real advances come with the wartime, transformation managers who are willing to think tabula rasa, to go back to basics, to throw out the sacred assumptions and to remember the first principles of cybersecurity.”


Ring-fenced spending

By striking the right balance between optimizing existing resources and strategically deferring investments, technology leaders can navigate the challenges of an economic downturn while maintaining a robust security posture for their organizations. However, there are some investments that CISOs might wish to avoid cutting. Among them: development for the cybersecurity team and cyber awareness training for staff.

Continuous development of the cybersecurity team is important because while getting ahead of the attackers is not possible, keeping up with them is critical. There is also a secondary benefit: employees typically value training and development highly, which can help with recruitment and retention.

According to Verizon’s 2024 Data Breach Investigations Report, 68% of security incidents involved ‘the human element’, which reinforces the need for regular cybersecurity awareness training for the workforce. By educating staff about phishing and other security risks, the number and severity of incidents caused by users is reduced. Having an effective cyber awareness training program demonstrates the business is taking steps to educate the workforce and can be especially important should the business be affected by a data breach.


A long-term mindset

In times of flat or decreasing budgets, maintaining robust cybersecurity means an end to unchecked spending. By optimizing existing resources, leveraging advanced technologies like AI, and making strategic decisions about which investments to defer, organizations can protect their security posture without breaking the bank.

The key to successfully making efficiencies without jeopardizing security lies in planning with a long-term mindset and clearly communicating risks to the c-suite and board-level stakeholders.

“It’s in lean times that CISOs learn why they are actually doing the job,” said Curry. “Not only can we be more secure, but we can break the tradeoffs and give money back to the business, improve user experience, and make IT more supportable."