Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:00 PM
Mark Darby
Mark Darby
Connect Directly
E-Mail vvv

Don't Slow Cybersecurity Spending: Steer into the Skid with a Tight Business Plan

We all know there are slippery conditions ahead, which is why it's never been more important for organizations to maintain and even increase their spending on cybersecurity.

We can all agree that, on paper, it's a gloomy scene right now — an economy-stunning pandemic and now global civil unrest. Is it any wonder businesses the world over are tightening the purse strings? Gartner estimates a $6.7 billion overall decrease in spending for software and services for 2020. Forrester is echoing forecasts of spending pauses. If you're a professional facing a freeze against key security projects and hires, you need to arm yourself with persuasive arguments that benefit the bean counters.

Whether you're an information security-focused entrepreneur like me or a cybersecurity specialist, drastic reductions in spending in the sector should give you pause. The twin crises of a pandemic and global civil unrest represent fertile ground for bad actors. A sudden remote workforce due to COVID-19 is putting everyone's information security to the test, while global unrest brings with it the threat of physical as well as cyber-risk. In the race to meet ever-expanding security demands, it has never been more important for business continuity to take a holistic approach to your budget.

But you're a cybersecurity professional. This shouldn't be news to you. The real conversation to be had is how to make a business case that leaves no room for doubt that your projects are a resource priority within your organization. When you're influencing budget decisions around cybersecurity spending, there are several gears to shift.

  • Revisit your asset portfolio and risk assessment: We're experiencing unprecedented and growing levels of risk. Online threats have increased sixfold since the pandemic began, with phishing attempts soaring by more than 600% since the end of February. The World Health Organization has reported a fivefold increase in cyberattacks in recent months. Without a robust and joined-up approach to information security in place, you'll be open to supply chain disruption and reputational damage. Nobody needs that given the ambiguity of our current times.

  • Acknowledge the value of your talent: ISC.org suggests a supply gap of nearly 3 million cybersecurity positions. These folks are in demand and hard to retain. If they walk, their knowledge goes, too. A continued, dedicated investment in information security retains talent. A commitment to the highest possible global independent standard proves you're serious about what drives them and protecting their professional reputations as well as your data.

  • Spot the opportunityYour organization needs to focus on growth as well as threat protection. While piecemeal investments in operational security might keep daily threats at bay, they don't contribute to the growth of the business. Buyers are more nervous than ever, and information management protocols based on recognized standards from organizations such as the International Organization for Standardization and the National Institute of Standards and Technology will likely give your organization an advantage when competing for business.

When pitching for your security budget, leverage support from those within your organization — as well as customers, partners, and supply chain — who'll see the benefit. Your public relations department will appreciate a positioning "good news" story, particularly if a competitor or player in your vertical has experienced a recent breach. Your colleagues in sales will always welcome additional selling points, like being able to demonstrate certainty around processing customer data.

Arm your CFO with a solid business case that he or she can confidently present in your absence. A respectable forecast against spending never fails to influence decision-makers in the right direction. Like most entrepreneurs, I've learned lessons the hard way, burning through money on poorly considered projects, wasting time, and investing in old ways of doing information security management that actually slowed growth.

One of the most valuable lessons I learned through hard experience is to apply a zero-based budget view for any proposed activity. This is still the approach my growing team takes when recommending spending decisions within our business and supply chain. It ensures we're continually interrogating our return on investment, ensuring, in turn, that our operational expenditure remains lean and effective.

We all know there are slippery conditions ahead, which is why now is the time for organizations to maintain and even increase their spending on cybersecurity, where that investment shows the return. Effective control and collaboration within your supply chain reduces risk and overall cost while improving business continuity and resilience. Those who make considered spending choices now will steer into the skid and find themselves ahead of the pack as they emerge into the new normal and beyond.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Mark is the CEO and founder of Alliantist and author of the business book Alliance Brand: Fulfilling the Promise of Partnering. With a background in business collaboration, organization development, and change management, Mark went on to develop cloud-based security system ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Michelle McCarthy
Michelle McCarthy,
User Rank: Apprentice
7/5/2020 | 11:13:47 AM
Re: Interesting
Agreed Ryan, it can be difficult. However, what I'm taking away from the article - and from what I understand of the landscape - is that strong cybersecurity brings with it significant business advantages, which should help make the case. Advantages that need to be pitched as absolute 'must haves' for business reslience and growth potential as we climb out from the current economic pause. Certainly, demonstrable commitment to cybersecurity makes an organization more attractive to do business with and therefore more competitive when it comes to tendering, winning contracts etc. 

The zero-based budget approach is an interesting one to me. Many organisations operate a complicated framework of legacy systems when it comes to cybersecurity. It's possible that by stepping back and re-engineering existing systems, savings could be made while at the same time bolstering security. Applying some zero-based scrutiny of systems already in place could kill two birds with one stone. 
User Rank: Ninja
6/30/2020 | 10:57:01 PM
This article was an interesting approach. I guess it truly depends on how the pandemic affected your business bottom line. There were many good points in here but it can be difficult to make a cybersecurity pitch if your revenue was adversly affected due to the pandemic.
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...