As we head into Cybersecurity Awareness Month and continue to emerge from the tight constraints of the global lockdown, organizations are reviewing the lasting impact of the pandemic and unsurprisingly this is resulting in tight fiscal control, with CFOs adopting a freeze-everything and spend-by-exception-only policy.
Is this the correct stance? My long-held position on this is that it will be a very short-sighted business leader who rows back on essential security spending at a time when cyber risk is more acute. Attacks are increasing and many workforces are operating a hybrid office-home-both-undecided approach to location.
A recent Sophos commissioned survey of 5,000 IT managers across 26 countries reported that 51 percent of organizations had been hit by ransomware attacks in the last 12 months, data being encrypted by the criminals in 73 percent of the cases. The most successful attacks were on data held in public clouds. So, the need for security is clear.
But how do you quantify the impact of an attack, and perhaps more importantly, how do you justify a commitment to spend much in-demand budget on a hard-to-quantify risk?
I expect security budgets to continue to come under intense scrutiny, discretionary spending to practically disappear, and for CFOs to insist on thorough, demonstrable return on investment models before giving reluctant approval.
What’s next
So where are budgets headed? Certainly, only in the direction where the cost can be justified as mission critical and where a return on investment case can be made. Expect to see an increase in contractor hires, outsourcing service contracts where prices are keenly monitored and adjusted regularly, freezing of non-essential contracts such as training, non-essential travel becoming non-existent, and unfortunately, the inevitable layoffs with associated pressure on salaries across the sector.
Will this be a short-term reaction? I hope so.
I also believe that it will provide a realignment of spending into areas where real value is derived. All too often we have seen enormous software implementations without regard for security by design. Well, in a world where cyberattack is another cost of doing business, and where the pandemic has encouraged an accelerated move to digital transactions across all sectors, security is no longer just a nice-to-have. It is a core component of any software purchase.
Making your case
Security leaders will need to learn the language of the business to explain the relation between necessary spending and key performance indicators, alignment with strategy, and cost-saving initiatives.
As cutbacks continue, effective management of resources will be key, but not at the cost of making organizations vulnerable to attack or reputational damage.
Risk management is now top of mind as organizations continue to tighten their belts, and investments are targeted to areas that can add to the bottom line. Security needs to demonstrate it is ready and able to be a core component in rebuilding a more secure and prosperous economy.