It’s hard to find a CISO or cybersecurity leader who has the money they need to pay for all the work they want to do.A majority of CISOs (57%) said they expect to see an increase in their cybersecurity budgets over the next one to two years, according to Deloitte’s Global Future of Cyber Report, but that still leaves plenty of security chiefs without more money for the upcoming year. Many already say budget constraints are an issue.Some 36% of enterprise leaders surveyed for CompTIA’s State of Cybersecurity 2025 report listed “lack of budget” as a factor complicating cybersecurity initiatives, making it a top challenge second only to the skills gap. The same percentage of respondents said they’re challenged by difficulties getting needed funds and budgets that are flat or decreasing. Another 14% said it’s difficult to even determine cybersecurity allocations.Consequently, many CISOs are looking for ways to trim costs without cutting staff or service levels. Even those who are more comfortable with the budgets they have say they’re always looking for ways to be better financial stewards by lowering costs without impacting services or, conversely, improving security without spending more.”In most cases, you have to do the best you can with what you have,” says Stephanie Hagopian, who, as vice president of physical and cybersecurity solutions at tech sales and advisory firm CDW, leads a team of consultants advising CISOs.Hagopian and others say there are strategies that CISOs can use to save money without lowering services or reducing headcount. Here they offer seven ways to do that. David Chaddock, managing director, cybersecurity, at digital services firm West Monroe, advises CISOs to start by ensuring or improving their cyber governance to “spread the accountability to all the teams responsible for securing the environment.””Everyone likes to say that the CISO is responsible and accountable for security, but most times they don’t own the infrastructure they’re securing or the budget for doing the maintenance, they don’t have influence over the applications with the security vulnerabilities, and they don’t control the resources to do the security work,” he says.That makes determining the total cost of ownership for security control a difficult task that often goes undone, Chaddock explains. However, he says by ensuring strong governance CISOs can determine those costs and create visibility into who is accountable for what work at what cost.”That forces all the stakeholders to come to the table with the total cost of ownership for security, and that allows security to do better budgeting and planning. It also gets some of the accountability and costs off of security’s budget, and that means [the CISO] can be more efficient with the money security does have,” Chaddock says. “CISOs then can make better decisions so they don’t get into a situation where they’re budgeting for x but paying y.”Furthermore, he says getting a true total cost of ownership helps align security and business teams to shared goals, helping to drive down inefficiencies in security work and surprise costs “because everyone is asked to agree on what needs to be done.”
2. Optimize and rationalize
Attila Torok, CISO at tech company GoTo, says he is keeping costs in check by optimizing what he already has in place, leaning on one of the most tried-and-true cost-control methods in business.He’s assessing whether existing tools are used to their fullest potential and, if they’re not, how they could be optimized to strengthen security, so those products deliver more value without adding new costs to security’s tab.Torok also is examining whether his security team can use existing tools to solve newly identified security requirements rather than buy a new product to do that work.He is also rationalizing his security operations, looking for redundancies in security capabilities so that he can shed excess tools to reduce both vendor bills and the extra costs that come with managing more complex environments.Shawn Murray, a board member at Information Systems Security Association (ISSA) International, says he has seen optimization and rationalization save significant dollars. He recently worked with a client CIO/CISO at a global company that had accumulated many redundancies following a stretch of growth that brought multiple new offices into the company.”They were paying lots of money for multiple technologies where one technology could take care of their needs,” says Murray, who is also president and CAO at Murray Security Services.Murray says this company worked with a broker to inventory its technology assets so it could efficiently trim superfluous capabilities. He notes that although the firm focused on rationalizing IT capabilities, and not necessarily security tools, the security budget still benefited because the lower complexity of the IT environment meant less complexity and cost for the security needed to protect it.
3. Implement more automation and AI capabilities
Security exec Chris Cooper says he’s focused on finding opportunities where he can add automation and artificial intelligence capabilities to cut manual work.”You can use those broadly to make things more efficient,” says Cooper, a cybersecurity consultant and fractional CISO with Rougemont Security and a member of the Emerging Trends Working Group at the professional association ISACA.For example, he put in place a vulnerability management tool that continuously monitors his environment, identifies vulnerabilities and automatically issues work tickets. That gives staff members who previously had performed that work more time to focus on other security tasks, thereby saving Cooper the costs of hiring more workers.Torok says he took similar steps, pointing to his team’s use of newly available generative AI capabilities offered by its security information and event management (SIEM) system. He says utilizing the genAI capabilities has “dramatically improved response times” and delivers the work that would have required adding one to two new analysts.Torok, Cooper and others acknowledge that implementing more automation and AI capabilities requires an investment. However, they say the investments can deliver returns (in increased efficiencies as well as avoided new salary costs) that exceed the costs to buy, deploy and run those new security tools.
4. Increase scrutiny of vendor contracts
David Ulloa, CISO with US drayage firm IMC Companies, has cut costs by scrutinizing his contracts with vendors.That scrutiny starts, he says, by requesting itemized quotes. “When you get a quote with just a single line item, you don’t really know how much you’re paying for each of the features you’re trying to get,” he says. “And when you get itemized quotes, sometimes you find that some features are expensive compared to the value you’re going to get. This allows us to make an informed decision [on what you’re willing to spend].”Ulloa says he’s also attentive to the terms of the service level agreements (SLA) in vendor contracts. He first ensures that vendors meet the levels to which they committed and that they pay any penalties when they don’t. This work also ensures he doesn’t end up with extra costs, as he explains that “without robust SLAs, the CISOs end up picking up the work and paying to cover [the slack].”Furthermore, he has moved away from the best-of-breed approach and, like Murray and Torok, is consolidating capabilities into fewer tools. He says he has saved upwards of 30% by reducing not only contractor costs but also the time staff needs to learn, manage and run multiple tools.Ulloa says he also saves money by avoiding auto-renewals on contracts thereby ensuring he can negotiate with vendors before inking the next deal. He acknowledges missing one contract set on auto renew and got stuck with a 54% increase. “That’s why you have to have a close eye on those renewals,” he adds.One last strategy Ulloa has for saving costs: strategically leveraging his vendors. “My partners, the vendors I can’t live without, I have monthly touchpoints to get access to subject matter experts, maybe to talk about a problem that I’m trying to resolve, which saves on things like paying for external consultants,” he says, noting that many providers include such resources as part of their subscription or solution costs.Hagopian offers another strategy for saving money: leverage vendor incentives. She says vendors are offering deals to customers who bundle products and services as well as financing options that often help CISOs lower costs.
5. Automate security questionnaires, third-party vetting processes
George Gerchow, faculty at IANS Research as well as interim CISO and Head of Trust at MongoDB, was dealing with hundreds of security questionnaires that organizations now require of their own vendors and must fill out themselves for others as part of the third-party vetting process.And, like other CISOs, Gerchow recognized the cost associated with handling all those incoming and outgoing questionnaires.So he and his MongoDB team created a self-service capability featuring a chatbot named Guardian; it launched in the fall of 2024.Gerchow says currently MongoDB’s own salespeople are using the self-service capability to get their own questions answered as well as to ask questions on behalf of customers. The bot, named Guardian, guides users, answering their questions and anticipating the information they’ll need next. Before this self-service capability, Gerchow says security workers received frequent requests for information, drawing them away from other duties.Gerchow says the self-service option and the Guardian bot deliver the work of one full-time employee and will deliver a full ROI within three months, making everything after that cost savings.MongoDB plans to allow external partners to access the self-service function and the Guardian chatbot starting in 2025, and Gerchow says the company is exploring how to bring the capability to auditors, too.Chaddock says others also are trying to find ways to cut the costs associated with third-party/supply chain reviews. He points to efforts in the utilities sector to create standard questions and a platform for vendors to submit and validate responses, which the utilities can then access.
6. Bring on a FinOps engineer to scrutinize spending
Richard Marcus, CISO at software maker AuditBoard, along with his company’s CIO brought on a FinOps engineer to scrutinize the IT environment, the security tools and their costs.He says FinOps practitioners are worth the investment.”They understand the tools. They can see what’s in use, and what’s underutilized. They can use tools and cloud-based resources to see where we’re overspending. They can work on projects and devise strategies to save costs on delivery,” Marcus says.For example, the FinOps engineer determined that AuditBoard had overprovisioned servers in one of its cloud providers, extra servers that the company was paying to have and paying to secure. Marcus says having this position quickly paid for itself, noting that AuditBoard has seen a return of 10 times the investment.
7. Enlist employees to become security champions
One way to cut costs is to reduce the number of problems that need security’s attention.To do that, Jimmy Sanders, president of ISSA International and until early 2024 head of security at Netflix DVD, advises CISOs to create a security champions program.The program enlists workers throughout the business, and particularly in IT, to receive some security training that they can bring to their everyday roles and their teammates, thereby boosting a better security culture for the organization, he says.This cuts security costs in a few ways, Sanders says. The security champions can help with basic security needs as part of their day-to-day work, saving the security department time and boosting its efficiency as a result.The improved security culture means workers are more attentive to risks and cyber threats and, thus, less likely to fall victim to them; that reduces the number of incidents, eliminating the costs of response. Security champions are more likely to loop security into business needs, and to do so early in work and project cycles, when injecting security requirements and security work is not only more effective but less costly to do.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3627485/blown-the-cybersecurity-budget-here-are-7-ways-cyber-pros-can-save-money.html
