Getting creative about identifying threats and mitigating risk is even more necessary these days, when every dollar counts. In fact, Gartner has revised its 2020 security spending forecast and is predicting a much smaller increase in spending -- 2.4% growth as opposed to the 8.7% growth it projected in December.
With spending getting tighter, executive management and boards will want to ensure security leaders are making the most of the budgets they are given in 2020.
"To make their dollars stretch, CISOs need to focus cybersecurity purchases on solutions that will enhance processes, integrate with their wider security ecosystem, and offer automation that can free up resources," says Gidi Cohen, CEO and founder of Skybox Security.
The Edge spoke with security managers for their recommendations on how to optimize security programs and improve efficiency – without sacrificing integrity.
Recommendation #1: Adjust Budget for Remote Work
Work-from-home arrangements are not predicted to end anytime soon. A separate Gartner survey found 41 percent of employees are "likely to work remotely at least some of the time post coronavirus pandemic." And that changes the threat landscape. Research from BitSight found 45% of remote office networks observed malware in March alone, compared with 13% of corporate networks.
If it hasn't already been locked down, long-term support and security for the remote workforce is one of the smartest ways to allocate budget – now and in the foreseeable future, says Jeff Hausman, ServiceNow VP & general manager, ITOM, Security & CMDB.
"Priorities need to take into account changes in the attack surface given increased volumes of remote workers and the use of greater cloud services," he says. "Many companies are calendaring renewal dates for tool licenses and building a strategy to have fewer vendors carry more of the work. By thinking about this now with an eye to execution throughout 2021, they can free up budget to accommodate the need for savings, as well as covering the expanding attack surface."
Recommendation #2: Let the Incident Response Plan Guide New Investments
What's the most effective way to identify what could be most vulnerable in today's largely remote workforce environment? Simulate a worst-case scenario.
"If you don't already have a clear, documented, and tested incident response plan, create one," says Bill Swearingen, cyber strategist at IronNet Cybersecurity. "Find an example of a really bad day for your organization and exercise how you would respond. Organizations often find critical omissions from the incident response plan in these exercises, such as legal, marketing, and customer service."
Once businesses have had a chance to reassess what risks they may face now, they can be more strategic about which tools and services to invest in this year.
Recommendation #3: Assess Areas That Can Be Ditched and Replaced
Now is also a good time to take a fresh look at potential redundancies and areas of bloat, says Shuman Ghosemajumder, global head of AI at F5 and former "fraud czar" at Google.
"Many cybersecurity investments don't have their benefit quantified," he says. "Measuring the actual benefit you get from various tools will result in you eliminating some products and technologies, but probably spending more on others."
Also, keep in mind that any new investments is an opportunity to retire old solutions that no longer make sense, says Gregory Touhill, the country's first federal chief information officer and currently president of AppGate, Federal Group.
"I don't buy any tool that doesn't help me retire at least two others, costs a fraction of the previous tools, and boosts my security posture," he says.
Recommendation #4: Maximize Vendor Relationships
Let's be frank: Vendors are trying to cover their own expenses during uncertain times. Security leaders should consider them another resource in the effort to save money for their organization. During these times, vendors are often willing to negotiate to acquire new customers and keep their existing customers, says Ed Bellis, CTO and co-founder of Kenna Security and former CISO of Orbitz.
"Even if you just renewed a given service, one lever you have to work with is the length of subscription," he says. "If you're happy with the service but looking to lower your monthly or annual rate, talk to your vendor about extending the length of your commitment. You can often get discounted rates if you're willing to make a longer commitment."
Next Page: Staffing and automation
Recommendation #5: Make Adjustments to Teams
Security staffing continues to be a challenge. Fifty-seven percent of over 2,000 cybersecurity professionals surveyed by ISACA for the "State of Cybersecurity 2020" report found 57% have unfilled positions, and 62% said their security teams are understaffed.
Budget constraints certainly won't make this situation better, so it is a good time for CISOs to readjust teams to reflect skills that are essential now. As network infrastructure takes on a more hybrid state with the move to cloud, SkyBox Security's Cohen said it is critical to flesh out teams to include members who understand how these environments intersect.
"As companies move deeper into initiatives such as digital transformation, they need to also ensure they're transforming their security teams, bringing on new members with diverse skill sets or ensuring current teams continue their education for this new technological wave," he says.
And because it is often so hard to bring in new talent, it's worth evaluating existing team members and offering them opportunities to train and learn the skills needed now.
"Look to upskill team members from reactive, hardware, and operations-based positions to forward-looking proactive software and analytics positions focused on big data analytics, data science, and proactive investigation of potential new threats," advises Michael O'Malley, VP of strategy at Radware.
Recommendation #6: Automate Wherever Possible
Events that are common, repeatable, and do not typically require human interaction are targets for automation, says IronNet Cybersecurity's Swearingen, who advises security managers to look for other manual tasks where technology can take over.
"Events that should rarely happen are a high target for automation," he says. "For example, alert the security team if a domain administrator user is added."
Recent research from the SANS Institute found adoption of automation technologies increased 12% year-on-year, but Hausman says some security teams are still very far behind and can benefits from investments in this area.
"There's a shocking amount of manual work in security, and it isn't the exhilarating, 'Sherlock Holmes' investigative work," Hausman says. "Look for people still using spreadsheets, for starters. Most companies target the volume drivers for their security team: phishing, malware, vulnerability management, and access management. They automate enrichment, scoring, assignment, and remediation handoffs."