Cybersecurity budgets may be on the chopping block. Confusing and contradictory messages about new tariffs and price increases all make C-level business leadership anxious. To prepare for the worst, they look at their budgets to trim some excess fat.
Freezing or downscaling security might seem like an easy way out. Investments into cyber don’t necessarily bring immediate ROI, especially considering the sort of resources a security operation demands (time, people, skills). Sure, in the short term, economizing one’s security might turn the quarterly numbers green, but in the long term, security cuts can undermine the revenue-generating potential of the entire business operation.
But what if there was a way to optimize without long-term pain? Security brings a lot of value for a company — it ensures smooth operations, reduces downtimes, and derisks reputation loss via breach prevention. However, maintaining such a resource also necessitates upkeep costs — service, training, audits, etc., these might not be as pronounced with a cost-optimized and more mature outsourced service. It’s time for business to decide whether they want cybersecurity to remain as a capital expenditure (CAPEX) or an operational one (OPEX). Here’s why.
Key points of this article:
- Businesses these days are looking to cut costs to stabilize their market position, brought on by constant economic uncertainty.
- Cybersecurity budgets are a likely target, as on its own, cyber security is often seen as a cost center. It doesn’t generate revenue, rather it supports the revenue generation of a company. The effects of security are felt especially during or after an attack, where an absence of resilience can turn annual expenditures redder than red.
- Cutting the security budget is not the way to go. For SMBs, many are already struggling to protect themselves, while enterprises could introduce gaps inside their complex environments by downscaling their defense efforts.
- Rather than cut the budget, reassess the business’ environment and look for a security service (an MSSP or vendor-supplied MDR) that matches its requirements without piling on potential internal expenses.
When to go for managed security?
To minimize the attack surface wholistically, addressing all the potential security gaps is literally looking for needles in a haystack. While also dependent on a business’ size, this kind of trouble comes threefold:
A) Smaller businesses can hardly cover all their needs on its own, with inexpert or understaffed security staff left overstretched.
B) Larger businesses such as multinationals often suffer scaling-related security gaps which can hide in plain sight due to the dynamic environment of an enterprise and the enormity of the bureaucracy it can create.
C) For both, their security budgets might not allow for enough flexibility to match their security to their scope. Add to this inflation-induced cost increases and a weekly economic seesaw, and you get the recipe for a potentially huge security gap.
Of course, some comprehensive security platforms like ESET PROTECT, can ease security professionals’ lives with its simple, and yet fast security decision-making capabilities.
At the same time, many businesses still underutilize these platforms (especially when they lack a cloud dashboard), meaning they’d be better off utilizing additional external services to fully realize its capabilities than to invest further internally. With an MSSP’s help, for example, the security invested equals the value received, getting more out of protection rather than going at it alone.
Dealing with security gaps
Taking all the previous points in, it’s easy to see why it’s so difficult to make the case for appropriate cybersecurity budgets to the C-Suite. However, the proof is in the pudding, as they say, and if infamous security failures aren’t enough to sell your CFO not to cut the security budget, then perhaps it’s time to pivot to something that can save on costs without compromising company protection.
An outsourced security service could do the trick. Usually, outsourcing has been pursued to save on costs while driving further efficiencies. This works in cybersecurity as well, sidestepping resource-intensive processes (like hiring, upskilling, maintenance) and converting the security investment into almost immediate returns.
Thus, going for an MSSP to upgrade a business’ security posture can help achieve a higher level of security without added costs. With an MSSP, for example, an SMB could very well enjoy the protection of an external SOC, with trained experts on call. However, do SMBs need enterprise-level SOC protection to ensure business continuity and data security? It depends. Some considerations may include who your customers are, and if you belong to a sensitive supply chain.
Consider the level of cyber protection you require
Businesses need to be smart — their security could stretch from endpoint devices, through electronic systems and data management, to the whole network and server architecture, with cloud systems becoming more and more relevant. Such complexity calls for constant attention and high-grade protection to cover every possible security gap. Downscaling protection therefore would open a massive can of worms (perhaps even literally), so it’s wise to keep complexity in mind while thinking about budget cuts.
The larger a business is, the more protection and investment it requires — in other words, a size-appropriate security budget. As organizations grow, their complexity grows at an even faster rate, and this leads to a disproportionately large attack surface. Recognizing this is essential, as according to some studies, a data breach incident could cost upwards of $4.4 million per event — bleeding out an enterprise while fatally wounding an SMB.
Cyber insurance and regulatory compliance should also be a matter of consideration. The former’s conditions can be rather stringent, and necessitate specific security features and certifications, like Vulnerability and Patch Management. The same goes for compliance, as the requirements to fulfill some standards can be rather strict — such as the data security provisions of GDPR in the EU or of the CCPA in California.
Thus, companies often look to MSSPs to oversee their security complex while fulfilling insurance or regulatory criteria, as they operate and hold both the required technologies and certifications, effectively transferring security liabilities to the service provider. This is another reason why cybersecurity outsourcing can make sense.
Outsourcing can start with picking an easily scalable endpoint product
If a business does not find the idea of outsourcing their security to an external party inviting, there is another path to traverse — relying on their security vendor.
Familiarity breeds contempt, except when it comes to cybersecurity. Technically, by deploying a security product onto business endpoints, leadership has already placed an extensive amount of trust in the hands of their defense partner. Going a step further, asking for continuous service cements said trust while considerably upgrading company security posture.
At the same time, it might work to cut redundancies in the cybersecurity budget, recession proofing it for the future. Why invest in costly trainings and hiring (especially when multiple local salaries could be beyond HR’s budget) and instead focus on going straight to where the value lies?
With a service like ESET PROTECT MDR or ESET PROTECT MDR Ultimate, enterprise-level security has never been easier (and cheaper) to achieve, covering all the bases with a stack of security solutions that are capable of filtering out advanced threats proactively, 24/7, in a manner much akin to having a high-level SOC — without the associated costs.
Higher returns, lower costs
Security costs go further than the initial investment — especially when one’s dealing with in-house options. However, with an external service, such costs are mitigated, as it’s no longer the business’ responsibility to tackle likely additional spending on personnel or maintenance (unless a business already has an internal security team).
The good news is that picking the right security option is still better than having none or relying on an underfunded or understaffed team. Whether a company opts for an MSP/MSSP or a security vendor-powered security service, the result will be the same – a safety net capable of delivering positive ROI for the business, its partners, and above all, its customers, even in an economically uncertain age.
