Right Sizing Your Security Program and Infrastructure
Demetrios Lazarikos (Laz)
January 12, 2023
Right Sizing Your Security Program and Infrastructure
One of the core elements of maintaining the integrity of your organization is having a security infrastructure that’s able to properly support the business’s design and growth aspirations. Right sizing your cybersecurity program, though, requires determining the optimal configurations that will enable you to efficiently maximize performance and also effectively protect and support the organization.
Working Within the Limits of Your Cybersecurity Budget
“The IT and security functions continue to converge in many companies. In most cloud-native organizations, as well as organizations going through a cloud transformation, the security stack is more complex and, consequently, more expensive than the tech stack, leading to higher security budgets than IT budgets,” notes Steven Martano, a partner in Artico Search’s cyber practice for the 2022 IANS CISO Benchmark Study.
According to Gartner Inc, cybersecurity spending has increased by 12% from 2020 to 2021, reaching an estimated market value of $150 billion. Numerous elements are responsible for the witnessed growth in the average security budget, both internal and external. Cyberattacks are currently expected to persist, with upward growth in terms of sheer volume and severity, and some industries are at a higher risk of attacks—such as healthcare providers, insurance, and financial services.
Making the most out of your cybersecurity budget entails not overspending on certain aspects of security that are not particularly relevant to your organization. Luckily, enterprise-grade security solutions can drastically lower the costs without compromising on the quality of your security, enabling you to further stretch your cybersecurity budget/benchmarking goals for the year.
The Responsibilities of a CISO Under Economic Pressures
The more recent economic and market instability put cybersecurity investments under more scrutiny, especially for organizations that are barely making it financially and are at risk of higher rates of layoffs. This has increased pressure on a CISO’s organizational security infrastructure, both in terms of achieving cyber security and privacy objectives and finding ways to lead the organization’s security teams and departments.
Fortunately, company growth and expansion programs provided by the digital business and remote work revolution have helped expand many organizations’ overall revenue while keeping expenses to a minimum. This has allowed for more funding to securing digital infrastructure and teaching employees about appropriate cyber hygiene while still meeting the required CISO staff benchmarks.
Preparing for a Turbulent but Highly Skilled Labor Market
One of the primary elements of an optimized and right-sized cybersecurity infrastructure is having a sufficient and skilled workforce to support it. However, in a highly turbulent employment market, that can be hard to always guarantee.
Consequently, when right-sizing your security program management, it’s important to still enable processes to operate with a less-than-ideal number of employees. Unfortunately, cybersecurity is becoming a more competitive market for talent, rendering organizations in high-density business areas unable to access the necessary number of cybersecurity professionals for short- or long-term employment opportunities.
To secure long-term and loyal employment for your organization, you must be able to provide above-average pay and demonstrate powerful leadership skills. It’s important to keep into account that more than a third of an organization’s security budget goes towards staff salaries and labor compensation rather than purchasing and renting software and hardware, and it is important to make sure that you are using this money wisely.
When it comes to cybersecurity budget increases, CISOs often find that the increase they received was only half the amount they requested. Even in a scenario where it’s impossible to increase the budget, though, savvy CISOs will be able to make the most out of the security budget with minimal compromises.
“Despite staff compensation being the plurality of the CISO’s budget, most security leaders are struggling to get adequate resources required to fill critical roles and hire backfills from staff attrition,” adds Martano.
The Effects of Remote Work and Size
Employing a higher percentage of remote workers either in the security team or as general employees can radically shift an organization’s budget, as they’ll need a more robust digital infrastructure to support remote access rather than more office spaces.
Meanwhile, on average, smaller firms spend a larger share of the IT budget on security, averaging at around 23% compared to the 7.8% for their larger counterparts. Similarly, companies in high-risk sectors, such as tech, healthcare, and business firms (even small organizations) spend an above average 13%.
Conclusions and Recommendations
At Blue Lava, we recommend that CISOs craft a security infrastructure plan well in advance: one that’s capable of withstanding unplanned budget and workforce changes. Our security program management platform can help you benchmark your program relative to industry peers and right size your cybersecurity spend by identifying areas of potential over-and under-investments. To learn more about how Blue Lava’s platform can help with your cybersecurity budget, request a demo today.