Cybersecurity budget relies on planning and negotiation
Experts from Gartner and Forrester discuss how successful cybersecurity budgeting during these uncertain times requires planning, research and negotiation.
Established business plans can go awry for many reasons -- a change in corporate strategy or competition, a change in regulations or a change in global workflow because of a pandemic. But, regardless of uncontrollable factors, analysts from Gartner and Forrester said it is possible to create successful cybersecurity budgets.
The pandemic has impacted timelines for cybersecurity spending plans after it led to increased attacks, changes in government mandates, supply chain disruptions and societal impacts, such as the increased shift to remote working, according to Sam Olyaei, principal research analyst at Gartner, who spoke at the 2020 Gartner Security & Risk Management Summit.
"Cost optimization isn't just about cost reduction. Cost optimization can mean contract negotiation, business value optimization, increasing efficiency … or it could very well mean you have to reallocate resources or find alternative ways of achieving the same objective," Olyaei said.
IT managers first need to understand the best way to optimize a budget, and this depends primarily on the state of the business -- whether the organization is looking to cut spending, stay the same or grow. Cost optimization in different scenarios may mean finding the best deals with vendors, reallocating spending or ensuring budgets are spent on the right resources.
Effects of disruption
Changes to a cybersecurity budget may be triggered by an unforeseen crisis or a pandemic, but the reaction often follows a typical pattern, according to Olyaei. First comes the response phase, where the focus is on making sure essential services -- including remote access and control services -- continue to run and, where necessary, cost cuts are made.
Second is the recovery phase, which focuses primarily on developing cost optimization strategies and managing current risks compared to costs.
Last comes the renewal phase, which focuses on future products and services that may help an organization become more efficient and more optimized.
While it is common for companies to look for ways to cut costs in extreme scenarios like a pandemic, organizations tend to fall into three categories that determine how much cutting must be done, if any, according to Paul McKay, senior analyst at Forrester, said at the 2020 Forrester Security & Risk conference.
Companies in industries hardest hit by the pandemic -- like the travel and leisure industry -- may be in survival mode and need to do everything possible to minimize costs, McKay said.
Companies operating in "adaptive mode" have had some disruption. But the situation is not as dire, and the focus is on being flexible to customer needs and demands. Speed and flexibility are key for these organizations, so adopting new software or services may be required to meet the new normal.
In some cases, companies are in growth mode. This is where an organization sees rising demand for services or products and needs to scale up to meet that demand. In this case, security spending might increase.
Creating flexible budget plans
While the effects of disruption can't always be known ahead of time, managers can still create plans for any eventuality, while making cybersecurity a budget priority.
Whether it is an external crisis that affects a cybersecurity budget or decisions from leadership, IT leaders need to be ready, said Thomas Scholtz, vice president of research for Gartner, at the Gartner Security & Risk Management Summit.
"We need to find ways of understanding how the business leaders make investment decisions or change decisions in the organization," Scholtz said. "Then, we can react to that as effectively as possible whenever those changes occur in our organization or in our business environment."
When it comes to security decisions, the primary factors tend to include protecting intellectual property or data resources, preserving brand reputation and trust, complying with regulatory mandates, maintaining physical security or protecting revenue-generating operations.
Gartner's Olyaei suggested IT leaders use a data-driven decision-making process to for a priorities list, based on the following:
- listening in on earnings calls to get a sense of where executives are leading the company;
- analyzing IT data to ensure there is the right amount of staff for each environment; and
- performing risk assessments, controls implementation assessments and process maturity assessments.
With a data-driven security strategy, IT leaders present decisions to the board that are backed with detailed rationale for why they are necessary and why they are the best moves for the company.
Olyaei also noted that budgets must be "adaptable and realistic" so the IT team has budget plans in place for any eventuality.
Part of this cybersecurity budget planning means understanding the risk implications of each security investment. For example, if there is a high amount of security investment in one part of the business that is experiencing low risk, it may be an opportunity to shift some of that security budget to a section of the business that needs more protection.
"Once you understand the business value, you can start making the tradeoff decisions," Scholtz said. "There's an opportunity cost to spending too much in a low-value area."
Negotiating better deals
Creating a successful cybersecurity budget also requires vendors don't add any unforeseen costs. Again, effective preparation and research are needed before entering the negotiation.
Forrester's McKay said the security software negotiation process is generally split into the preparation phase, the actual negotiation itself, and the ongoing performance evaluation of the vendor after the contract has been signed and the product or service implemented.
McKay advocated speaking to peers, analysts and external procurement specialists to understand the market, pricing dynamics and business requirements when preparing for negotiations.
"Occasionally, providers are much more willing to give a discount on implementation services than they are on the core product," McKay said. "Similarly, channel partners can add additional services and have the ability to get higher rates of discount, and the vendor themselves can deliver."
It is also best to check on contract terms early in negotiations, McKay added, because term conditions can sometimes be "so onerous that they make the purchasing experience quite difficult."
Once in the negotiation itself, IT managers need to be aware of phrases that could indicate opportunities or red flags for the process. If a vendor uses the phrase "platinum client," that could be a good sign and show how important that deal is to the vendor, McKay said. On the other hand, if a salesperson asks a business to be a "reference customer" or "marquee client," that might indicate the vendor has no other customers yet.
McKay suggested playing vendors off each other to drive down prices and asking about getting support service included or discounted when negotiating contracts.
"Security software vendors can be quite inflexible over software baselines and contract flexibility," McKay said. "If they're not going to budge on anything, be prepared to walk away."