How IT leaders can stretch their cybersecurity dollars

It’s the perennial complaint in cybersecurity: There’s never enough resources to go around.

That could mean money—only one-half of companies have sufficient cybersecurity budgets to meet their needs, according to a recent survey by Neustar International Security Council. Or it could mean talent, with survey after survey finding that there just isn’t enough personnel.

Either way, CSOs and other cybersecurity leaders often find themselves in the unenviable position of having to stretch limited resources as far as possible. That’s why, in many cases, consolidation has become the name of the game.

If you can’t go big, outsource. A 2021 poll by cloud provider Syntax found 83% of IT leaders with in-house security teams were considering outsourcing functions to a managed service provider. Cybersecurity-as-a-service (CSaaS) providers argue that most organizations lack the sufficient security operations expertise to handle an incident effectively on their own.

Kyle Falkenhagen, chief product officer at Secureworks, told IT Brew there has historically been “a lot of downward pressure” on cybersecurity spending due to its perception as a cost center and the difficulty of quantifying risk reduction. He estimated that the average organization spends somewhere in the ballpark of 5% of its budget on IT, and 10% of that sub-budget on cybersecurity.

While network and perimeter security is now commoditized and cheap, Falkenhagen told IT Brew, tools that detect new threat vectors and attack surfaces are not. Other major costs can include endpoint detection and response vendors, as well as security information and event management (SIEM) solutions involving large amounts of data from different security solutions.

“You’re retaining that data for both log management and forensic use cases, as well as detection,” Falkenhagen told IT Brew. “And when you’re talking that volume of data, it can very quickly increase the cost of the overall solution.”

Some large organizations can afford to take “a best-of-breed approach, where they’re identifying all of the individual security controls that they want, they’re going out, they’re doing RFPs for each of those individually,” Falkenhagen said. “That’s incredibly expensive in terms of the overall solution cost, as well as the costs or the indirect costs with managing the complexity of that environment and all of the different vendor relationships.”

Most organizations are best served by focusing on impact and probability, according to Falkenhagen. As most attacks are opportunistic, the number of attacks on industry peers and the costs they suffer due to incidents are good indicators for how an organization should set its risk profile.

Consolidation with a managed detection and response (MDR) provider—of which Secureworks is one—can lower costs by leveraging economies of scale, Falkenhagen said. For example, many MDR providers already include extended detection and response (XDR) platforms, which can replace expensive SIEM. Garter has projected that around one-half of organizations will be relying on some form of MDR by 2025.

Public sector challenges. These problems can be even more acute when it comes to public-sector organizations. For example, school officials have long listed cybersecurity as one of their highest edtech priorities, according to the State Educational Technology Directors Association (SETDA)’s 2022 trends report, but just 6% of respondents said states provided adequate funding.

As SETDA executive director Julia Fallon pointed out to IT Brew, schools are juicy targets not just because they control large amounts of sensitive data but because student users are still learning basic cyber hygiene.

“You can’t do it alone,” Fallon told IT Brew. She said one method of stretching limited cybersecurity funds and personnel is leveraging connections with other districts in cooperative service models and joint training agreements. Fallon also recommended recognizing cybersecurity as a front office rather than a side function of IT departments, emphasizing that public sector entities have to prioritize mitigation in response to surging cyber insurance rates.

“The preventative measures are much less expensive than the after,” Fallon said. “You’re mitigating risk. That’s all you’re doing. And it’s a layered approach, depending on your circumstances.”