Having to do more with less is a common quandary for any industry or department. When cuts have to be made, companies look for any opportunities, and sometimes limited funding can significantly impact operations and performance. Cybersecurity budgets are not immune from this. Even though organizations understand the gravity of investing in cybersecurity, they often have no choice but to curb spending.
As a result, you may not have the resources to hire more team members, adopt new tools, or complete major projects like migrations. It’s not a comfortable place for any cybersecurity leaders, but it’s also not something that has to paralyze your strategies and development of employees.
Let’s look at the state of cybersecurity budgets and how changes in the way you manage your team can help you do more with less.
The State of Cybersecurity Budgets
Overall, Gartner predicts that spending on security will increase by 11% through 2026. However, that’s a macro-level perspective. What’s happening inside your organization may not reflect this. You could actually see slight increases in your spending capacity, but that doesn’t mean you have “enough” budget. Factors like inflation and the need to be more competitive with compensation can quickly eat up any new dollars.
Additionally, more cyber spending doesn’t make threats or risks disappear. Strategically using your budget may, however. There aren’t enough dollars in the world to curtail the bombardment of cyberattacks companies face every day. That’s especially true for SMBs with smaller budgets and less human capital. They are often the target of hackers, as illustrated in the Verizon 2023 Data Breach Investigations Report. It documented 699 incidents in the year prior that occurred for companies with less than 1,000 employees.
SMBs are more likely to face limited budgets. Rising costs all around operations can impact spending more significantly than larger companies. No matter the size of the company or its capital, tightening budgets is a growing concern. So, how can you focus your spending on the areas that matter?
Where to Focus Your Company’s Limited Cyber Budget
There are several categories worth investing in to ensure systems stay secure. Those can include both human and machine intelligence. These are my recommendations for any SMB that needs to make the best decisions regarding cybersecurity spending.
Controls That Can Successfully Defend Against Threats
In order to know what controls will deliver the best ROI, you have to assess your threats and vulnerabilities. A risk assessment is a good first step in deciding on budget allocation. Once you have a picture of your position and the threat landscape, you can make data-driven decisions about controls.
Knowing more precisely how a hacker might try to infiltrate can guide you to controls that work best for those scenarios. A risk assessment is a good starting point or place to restart cybersecurity efforts. Then you have to make comparisons in the categories of controls you want to employ, looking at their features, costs, and other factors.
When building your tech stack, you’ll also have to consider the people you need to lead the efforts around controls and do further analysis based on data. When choosing those team members, assess their soft skills in the same way you do the hard skills. Leading such a project requires great communication, collaboration, perspective, and flexibility. Technical people often struggle with these things. So much so that it can increase your risk.
Next, you’ll finalize recommendations and move forward with procurement.
Protecting Public-Facing Applications
Whatever is in the public domain can be risky in cybersecurity. Vulnerabilities in these assets are the most common initial access technique hackers take. This part of your digital footprint is what the business side depends on for awareness, lead generation, and revenue. It’s a tricky situation that can often have different departments on two different sides of the argument. There are some ways to resolve this and another place to spend budget money—web application penetration testing.
Web application penetration testing is a method of simulating cyberattacks to access sensitive data. This test assesses all elements of your web applications—the architecture, design, and configuration. It’s inclusive of anything delivered over the internet through a browser interface. Hiring a firm to perform these tests should be on your budget list. Depending on your industry and compliance requirements, you may do these twice a year or more.
There are different options for web application penetrating testing: Black Box, Gray Box, and White Box. The differences are the levels of access the ethical hackers have. Most start with Black Box because testers know nothing about the company, so they’re just like hackers looking for public-facing information to exploit.
The more exposed your company is in the media and digitally, the more you could be at risk. So, earmark the budget for these exercises. Make sure they deliver the best value by remediating what the testers find and having conversations about how to avoid these things in the future. Conversations like these are essential for people to become better at their job and more connected to it.
Building More Redundancy to Deepen Your Defenses
The next area that should be on your budget is redundancy and contingencies. Ransomware is a bigger threat than ever, and SMBs have had their share of situations. The best defense will be prevention, which you’re investing in with controls and pen testing. These dollars are all about the “what-if” scenarios.
These redundant capabilities won’t have a connection to your main network. Keeping them separate is the best way to avoid malware spreading. Most attacks spread throughout the entire enterprise. Hackers are using command and scripting activity, which are also things you can monitor for and then be able to detect and respond to the threat.
Within this category of spending, you’ll have cloud computing, monitoring, hosting, and other fees associated with having redundant operations. Make prudent decisions about what needs to move over and what doesn’t. Work through scenarios and threat contingencies with your team to make decisions.
Behavioral Tracking with Advanced AI
AI is weaving its way into cybersecurity in many ways. Much of what AI can do is monitor and spot patterns or anomalies. The technology is advancing, and AI can now analyze data collected regarding online behaviors. Tracking the behavioral movements of hackers seems a little futuristic, but it’s the next logical step. This technology is really augmenting your team. The AI cleans up the data and gives raw results, which your team can decipher to continue to understand attack methods and defend against them.
There’s another way that AI is worth investing in with your budget.
Automation Increases Productivity and Has a Strong ROI
Automation tools that assist with managing, validating, remediating, and tracking your security should be on your budget. They leverage things like RPA (robotic process automation) and AI to deliver digital robots that can do a lot of manual, repetitive tasks so your people can focus on more strategic work.
There are many different things that you can automate. You’ll need to understand your end goal and the processes related to them to determine what to adopt. Some categories include:
- Software updates for devices connected to the network
- Tracking asset posture
- Monitoring and alerting
- Network Intrusion Detection Systems (NIDS)
- Network Intrusion Prevention Systems (NIPS)
- Security logging tools
- Data aggregation
Focus on the most labor-intensive processes that rarely deviate when selecting automation tools. Get feedback from your team on the tasks they’d most like to move to automation when deciding where to spend these budget dollars.
Investing in Your Team in Traditional and Nontraditional Ways
Using cybersecurity budget dollars to upskill, train, and certify your staff is always a wise investment. For one, they become better at their job. They also can appreciate the acknowledgment that they are worth upskilling, which can support longer retention and less turnover. You can do this with those at all levels, from junior roles to senior ones. Cybersecurity is a dynamic, ever-changing ecosystem, and your good guys need to be learning more ways to outwit the bad guys.
Along with technical skills, you should consider helping them develop soft skills. They pay off just as much as hard ones. When technical people are better communicators and have greater awareness, everyone can be more efficient and effective. In such a high-stress environment, people that have people skills are immeasurably valuable.
So, how do you develop technical people into excellent communicators and collaborators? The Secure Methodology™ is a concept I created that includes seven steps to do just that. This kind of investment in people demonstrates that you want them to be successful and contribute. It’s a great framework for any cybersecurity leader to adopt. You don’t need a huge budget to do this. You’ll likely invest more time, but it’s worth the work. The return on this investment is positive for your people and the business’s ability to mitigate risk.
You can learn more about it by reading my book, The Smartest Person in the Room, and checking out the Secure Methodology Course.