Research by Neustar found that only half (49%) of organisations have enough budget to meet their current cyber security needs. More than a tenth (11%) only have enough to protect their most precious assets – assuming they can work out what those are. Yet more than a third of IT and security professionals say their budgets will remain static, or even shrink, over the coming year.

If security budgets fall in real terms, where do you start cutting? And is it even possible to make cuts?

"This is not spoken about enough, but the majority of CISO budgets are non-discretionary due to compliance requirements," says Michael Smith, field CTO at Neustar. He points out that many systems – such as firewall, anti-virus and log management are not optional and regulations oblige many firms to carry out regular audits and assessments.

"The discretionary part of the infosec budget is usually very small, which means a couple of things," says Smith. "One is that the organisation can reduce its budget needs by reducing the scope of what they are trying to protect by using a better network segmentation, lowering the amount of data that they horde, as well as PII tokenisation, or even adopting some components of zero-trust network architecture.

“Another is to look for solutions that help the business to meet or partially meet multiple GRC requirements simultaneously with a single budget item."

Even with these measures, many security departments are going to come under pressure. And lowering spend is something that needs to be approached very carefully.

 "A naïve approach is to cut and reduce spend, ignoring or being unaware of risks that might bring," says Adam Brown, managing security consultant at Synopsys Software Integrity Group. "For example, reducing budget to maintain or update platforms, services and applications can in the immediate term reduce spend.

"However, allowing decay to set in, equipment to become obsolete, software to reach end of life while in service can introduce millions of dollars' worth of risk that cannot be fixed due to obsolescence and lack of support from modern risk mitigation services or software."

Cut salaries?
The large salaries you're paying to those highly skilled (and sought-after) security specialists might also be a tempting target. "Reducing IT staff, while it might make the balance sheet look better, can have a knock-on effect on those staff that are retained," warns Jamie Akhtar, CEO of CyberSmart. "Less staff typically means heavier workloads for those that remain, making them more susceptible to security mistakes and more likely to become disillusioned or disgruntled – itself a security risk."

Back to basics
One solution to the issue is to go back to the fundamentals of security. "Go back and look at your cyber security basics – those measures and controls that form the foundation of your security posture," suggests Jon Fielding, managing director EMEA of Apricorn. "Getting those right will create true resilience; the ability to protect against, prepare for, respond to and recover from a data breach."

Find better deals
You should also look at solutions and platforms that offer better value. "Smart managers tend to look for a platform with multiple solutions instead of buying a best-of-breed point product for each need," says Smith. "With a platform, you get the flexibility and some economy of scale… the obvious corollary for this is that if you already have solutions from a platform vendor, you should contact your account team and do a business review with them to cover what your contract entitlements are versus your historical usage."

Be more selective
"Companies don't necessarily have to increase their overall spend to improve security," says Mark Guntrip, senior director of cyber security strategy at Menlo Security. "Focusing on technologies that attackers are blind to – such as isolation powered security – is a good way to improve security and control costs as they are less likely to be able to evade detection."

Lean on others
Finally, look beyond your perimeter for solutions. According to Brown: "To make efficiencies, embracing services delivered at scale such as subscription services, is how CISOs can maintain or increase their capability to address and reduce security risks while also maintaining or reducing operational expenditure."

TEXT BY: STEVE MANSFIELD-DEVINE