Security Leaders Can Lower Expenses While Reducing Risk

As companies seek to optimize operations and constrain expenses, cybersecurity leaders worry about funding the projects we consider essential. Fortunately, in such an economic climate, we can achieve an outcome that benefits the organization from cybersecurity as well as financial perspectives. Here’s how.

Start by critically reviewing how you’ll spend the security funds; this involves broadening your perspective beyond security. Next, partner with other departments to identify opportunities for them to save money in a way that also decreases the company’s attack surface. You’ll help reduce risk, cut costs, and build goodwill with your colleagues. This way of thinking about cybersecurity brings CISOs closer to the world of CIOs.

Understand the Business Context for Budgeting

Before you can scrutinize your expenses and advise others how they can review theirs, understand why cost reduction is necessary at this specific moment. Consider:

  • What’s driving the need to cut budgets by specific amounts? Why that amount and not more or less?
  • Are some departments or projects retaining or increasing their funding? If so, why them and not others?
  • Which are the most critical business objectives for the organization? Which are less important?
  • Are any efforts eliminated from the scope of the company’s business activities, and why?

Identify the factors driving the need for budget constraints and the broader business context behind these mandates. This understanding will guide your decisions about allocating your funds and how to support other department leaders in their budgeting efforts.

Try a Zero-Based Approach to Security Spending

Regardless of the formal process your company uses for budgeting, review your security expenses using an approach known as zero-based budgeting.

Consider this a thought exercise that assumes zero cybersecurity expenses at the start, then adds expenses to the list with an explicit business justification for each project you’d like to fund. This planning method allows you to avoid the inertia of funding efforts just because you funded them last year. To do this, you may need to work with the finance team to itemize the expenses allocated to security at your firm.

For each expense that you’d like to add to your budget, capture the following:

  • The cost (upfront, recurring, technology, people, etc.)
  • The business benefit to the company (beyond just “stronger security”)
  • The rationale for spending the money now and not, say, a year later
  • The consequences to the business of delaying the expense

This is one way in which you’ll be able to align security expenses with business needs.

When adding items to the list of potential expenses, look for opportunities to achieve similar business objectives with lower costs. For example, by funding an effort to automate or otherwise streamline security tasks, you might redirect your people’s time to other projects or, if necessary, reduce the need for personnel.

Rank the list of expenses according to business impact, then look at what fits into the company's cybersecurity budget. For the items you consider essential that didn’t fit, the details you prepared when crafting the list will allow you to have meaningful conversations with the company’s leadership regarding the tradeoffs of funding or not funding those projects.

Helping the Company Save Elsewhere

While security professionals focus on protecting the organization from threats, our visibility into unnecessary IT assets offers an opportunity to deliver value in another way. We can provide insights that help other teams save money and get the most out of their limited budgets.

Our ongoing efforts, such as vulnerability scanning, asset management, penetration testing, and compliance monitoring, often identify unnecessary resources in the company’s IT fabric that could put it at risk. This includes:

  • Unused software on the endpoints
  • Underutilized SaaS services
  • Stale, unneeded user accounts
  • Unnecessary features in existing software
  • Abandoned, unmaintained virtual machines

When we frame the need to decommission unneeded resources solely from the perspective of security, we’re often met with concerns over the possible need for them in just-in-case scenarios. However, if we highlight the positive financial benefits of such actions, we’re more likely to gain support.

By collaborating with IT and other stakeholders in the organization, we can use the visibility that security provides to identify unnecessary IT expenditures. Disabling, reconfiguring, or offboarding these unnecessary components is good for security because it reduces the attack surface. It’s also good for the organization because it reduces unnecessary expenses.

Finding such opportunities will help your colleagues with their budgeting efforts, earn goodwill, and strengthen relationships. And maybe, just maybe, you’ll be able to allocate some of the savings back to the security department.

Help Lower Expenses While Reducing Risk

The mission of the cybersecurity team involves safeguarding the organization’s data. Fortunately, our visibility and insights can also provide value through cost savings. By understanding the business context for cost restraints, scrutinizing and prioritizing our own expenses, and helping the company save elsewhere, we can lower costs. This is a way to contribute to the organization's business success while reducing security risks.


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more