Strategic Management of InfoSec Budgets–How to Make The Right Investments

by Merleta Mohr, Virtual Chief Information Security Officer, CISSP

January 8, 2024

Merleta Mohr Right now, IT directors worldwide are looking ahead to 2024 and trying to calculate their current cybersecurity expenditures. Moreover, how will they quantify expenses in 2024? How will they justify increasing the budget, and how much more is needed? According to the latest forecast from Gartner, the average budget will increase by 14 percent with additional expenditure on cloud security, identity access management, and infrastructure protection.

Considering the giant leaps forward in AI-based technology, cloud productivity, and distributed workforce management, none of this is shocking. Yet, it begs the question: Is there any way to save money on cybersecurity, and how will I know?

My answer is maybe—but the real question should probably be, “How do I know I am spending my cybersecurity budget efficiently?”

There’s two ways to look at your cybersecurity—and only one will help you with your budget

IT directors and the management controlling their budget tend to fall into two different schools of thought when under budget pressure.

On one side, you’ll find the teams who take a tactical approach. They look at all their cybersecurity line items, get out their red pens, and try to determine what can be removed, bundled, or replaced with a newer, better, more promising solution. This may help the budget in the short term but can lead to long-term issues when protections fail, capabilities are duplicated, and the company’s security infrastructure isn’t positioned to scale. This approach overlooks the most vulnerable and volatile threat surface – People.

Other IT leaders and their leadership teams take a more strategic approach. They examine how their IT security infrastructure impacts the company’s business goals. They rethink procedures and align KPIs with the organization’s goals. Suddenly, it becomes much easier to see what’s important, what’s not, and where your money should be spent. As a bonus, strategically minded IT leaders have rock-solid reasons for every line item in their budget when the process is done.

Read on if you’d like to take that strategic approach with your IT budget. Following are five innovative ways a sound IT strategy can save you money and time in your IT cybersecurity operations.

InfoSec budgeting: Five ways to strategically align your cybersecurity operations

The best savings and efficiency improvements come when you change how you think about your cybersecurity. Here’s some of my top advice for changing your mindset.

#1—Start with risk

How does your organization manage risk? What risks are you trying to mitigate, and who owns the mitigation? What assets are we trying to protect, and what is their business criticality? What qualifies as an asset in your organization? What is the risk tolerance of your Executive Management, Board of Directors, and Stakeholders? How are your initiatives directly aligned with their priorities and objectives?

When you ask, how can I justify or quantify expenditures? The answer is RISK.

The big questions many companies ask regarding 2024 can impact your cybersecurity spend.

How resilient is your vendor lineup and supply chain?
What compliance or regulatory requirement will you need to meet?
Do you expect your infrastructure traffic to go up or down?
How robust is your physical security?
Is the nature of the cyberattacks you’re receiving changing? Are employees trained on how to recognize and report suspected threats?
Will you still qualify for cyber insurance coverage? What can be done to manage the increase in premiums?

When you’re done, risk aligns your cyber security operations with the company’s overall business goals. The opportunity for intentional and informed management of cyber expenditures becomes clear.

#2—Reconsider how you present your KPIs

The adage “you can’t manage what you can’t measure” is just as important in cybersecurity as it is in any other part of your operations. Nearly every IT leader has the task of presenting IT metrics to their C-suite, whether it’s a yearly budget discussion or a more regular update on deliverables. Chances are, you’ve got your standard charts and graphs ready.

Yet are these numbers the metrics your leadership truly cares about? In my experience, most IT leaders report on the “IT tangibles” that show the breadth of their work. Patches executed. Licenses bought. Cyberattacks repelled. Onboards. Offboards. These are all perfectly valid but show what is being done—not why.

If you want leadership buy-in on your efforts, find ways to create IT metrics around the company’s larger business goals. For instance, if you know the goal for the company is to expand into new territory and grow revenue by 20 percent, then show how your network investments are improving speed and making it possible to deliver a higher level of customer service.

Ask yourself, how can I align my deliverables with what my leadership wants? You may be surprised at where the answers take you. You may find efforts that can be stripped away or areas where you’re under-resourced. Either way, you’ll be able to ensure your IT cybersecurity budget is as tight and justified as possible.

#3—Align cybersecurity to your usage patterns

This point is very similar to the last one I just made. As part of your risk assessment, you should ask the big, strategic question: do I have enough cybersecurity protection to cover the traffic on our systems?

Specifically:

Do I have enough backup capacity to duplicate all my current traffic, plus at least 25 percent more for emergent situations?
How much data would I lose in the event of a breach? We generally recommend one hour or less recovery point objectives, so no more than one hour of data is lost.
How fast can I get my system running again if it goes down? At what point would an outage turn critical for my business? Make sure your disaster recovery plan is aligned with your organization’s needs. In most cases, we recommend disaster recovery programs that can get your business up and running again within two hours.
Is our remote staff protected, as well as our staff that’s working on-site?
Are my remote login protocols double-verified and up to NIST standards?
Is my company planning on entering a new industry vertical, operating in a new country, or pursuing new customers that require a new cybersecurity certification, like CMMC or HIPAA?

All these questions create an excellent opportunity to view your cybersecurity operations with fresh eyes. The answers could help you eliminate programs that no longer serve you and upgrade for the future.

#4—Broaden your cybersecurity scope

If you’re looking for savings in your cybersecurity operation, it may seem counterintuitive to broaden your cybersecurity focus. Infosec budgets, however, are judged by the incidents you avoid. So, if you’re hoping for the most efficient cybersecurity budget possible, it pays to evaluate all the things that are adjacent to or feeding into your IT infrastructure, such as:

Vendors who interact directly with your portals or supply chain
Protections for your customer portals
Your existing SaaS apps and the data they pull from your systems
HVAC and electrical systems that support your networks

You may find areas that need upgrades or old protections that are outdated. It’s a good place for critical analysis and a way to close significant cybersecurity gaps for your organization.

#5—Examine your Cybersecurity and Disaster Recovery Policies

How good is your cybersecurity documentation? Would your staff know who to call in a disaster or breach and what to do? Would your employees and IT partners work together efficiently to handle the complex reporting, mitigation, and backup recovery tasks? Is there a written process in place for how to deal with cyberattack mitigation? Do you have training and fair usage policies available to employees?

Written procedures and policies are critical to your cybersecurity operations because they will determine how fast and well your organization responds to threats. Good documentation will also save you money on your cyber-risk insurance and speed up the time to prepare for regulatory review.

A good vCISO can help you find the gaps in your documentation. It may take a little investment of time and money in the front end to get all these procedures on paper, but good policies are one of the fastest ways to save time, money, and headaches.

In the end, the thorough cybersecurity plan is the cheapest

All this sounds like a lot of work, and it is. However, investing time to review your cybersecurity thoroughly will pay off years down the road. Once you’ve aligned your operations, making changes and upgrades, there is much more clarity to chart the path forward. If you do a risk analysis every six months to a year, you can stay one step ahead on your cybersecurity budget and planning. Your leadership can be confident and secure in the knowledge that you’re spending your cybersecurity dollars the right way, on the right thing. And isn’t that all any IT director can ask for?

Keep reading

Six Signs You Don’t Have Enough Cyber Risk Insurance Coverage

You did your due diligence years ago, purchased cyber risk insurance, and made reasonable investments in all the right cyber security tools. Surely, you're prepared for anything that comes your way, right? Maybe yes, maybe no. Regarding your cyber risk...

SharePoint Intranets: Your Secret Weapon for Internal Communication in 2024

Technology has broken down the walls between the office and home, with more than 40 percent of employees in 2023 working in some hybrid or fully remote arrangement, according to FORBES. Fortunately, SharePoint intranets are coming to the rescue with inexpensive,...

vCIO vs. vCISO: What’s The Difference?

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...