Security on a Shoestring? Cloud, Consolidation Best Bets for Businesses

As economic forecasters and businesses raise expectations of a recession in 2023, information-security budgets will likely be pressured in the coming year, experts tell Dark Reading.

Because of latent demand, the call for cybersecurity workers is in flux. While some companies — Patreon, for example — have laid off their cybersecurity teams, other businesses are pausing hiring, as many have open requisitions for cybersecurity specialists. It would be difficult to fill positions anyway: There are currently only enough cybersecurity workers to fill 65% of positions, according to CyberSeek US.

Instead, security teams will have to make do with what they have going forward. The best way to do that is consolidating vendors to reduce costs, and find ways to bring in managed security service providers (MSSPs) to help with areas in which they lack expertise, says Mike Hamilton, chief information security officer at threat-detection and management firm Critical Insight.

"Enterprises have the ability to hire and maintain large teams, so they will continue to do that, but in the mid-market, IT has just got to suck it up and do more security as part of their job," he says. "That's pretty much they way it is everywhere."

While economists and business leaders do not have a great track record for forecasting recessions, current surveys of sentiment have set historical records for recessionary predictions. The Wall Street Journal's quarterly survey of economists found that 63% expect a recession in the next 12 months, the highest registered negative sentiment from economists in the nation outside of an ongoing recession.

Half of companies are already considering instituting IT technology austerity measures, a share that will likely increase if a recession takes hold. Yet, information security should not relax their defensive vigilance, says Merritt Maxim, vice president and research director at Forrester Research.

"Companies need to be as diligent as before," he says. "Hackers and others are not going to stop doing what they have been doing, because of a recession. That will actually spur more activity."

Turning to the Cloud to Cut IT Security Costs

Companies should consider moving more infrastructure to the cloud as an austerity measure, experts say. While US firms have moved less than half (45%) of current infrastructure to cloud services, they expect to have 58% of their applications in the cloud in two years, according to Forrester.

While cloud costs have risen and cloud-native application require a different set of skills to secure, they still cost less than equivalent on-premise technologies, Forrester stated in its "Planning Guide 2023: Security & Risk" report. Based on the costs for maintenance, licensing, upgrades, and other investments, on-premises technology consumes the largest percentage of security costs — 41% for companies spending 20% or less of their IT budget on security.

Other experts also recommended cloud infrastructure as being easier and less costly to secure.

"Budget pressure also poses an opportunity and added incentive to accelerate this transformation rather than continue to execute on previous templates," enterprise software firm SAP stated in its security recommendations for 2023. "The cloud poses new security challenges, but also capabilities to optimize and make use of economies of scale."

Security Vendor Consolidation Reigns: But It May Not Be a Choice

Managing the disparate security, compliance, and threat-intelligence systems necessary to have visibility and control in a corporate environment has ballooned in the past decade. The average large company has 75 security solutions, according to Microsoft. Over all businesses, the number is smaller but still large, with 13% of companies having more than 20 vendors, according to Cisco's 2020 CISO Benchmark Study.

No wonder, then, that consolidation has become a major strategy going into 2023, with three-quarters of businesses planning to reduce the number of security vendors on which they rely. And many vendors are leaning into that consolidation strategy, not surprisingly. Microsoft, for example, touts cost savings as one of the benefits of consolidating to a single vendor's products and services, claiming that unifying security, compliance, and identity solutions can save up to 60% in costs.

"Managing multiple vendors can be burdensome for IT, while valuable security insights sit siloed in separate dashboards," Vasu Jakkal, corporate vice president for security, compliance, identity, and management at Microsoft, stated in a blog post. "And siloed solutions can result in fragmented visibility and can be exploited."

As part of the strategy, many vendors are buying up smaller firms and rivals — a mixed blessing for companies given that they may have fewer choices in the future. Companies may get more capabilities for less, but they may also find themselves paying for unwanted features, says Forrester's Maxim.

"Whether companies are planning to consolidate or not, I think a lot of consolidation is going to happen on its own, either through strategic M&A or fire-sale M&A, because of where we at in this economy," he says. "Private equity still has a huge amount of capital, and the operations benefits from reducing the number of vendors is significant."

Finally, organizations will find that there are some costly security and risk areas that they simply cannot jettison, such as compliance and governance costs, Critical Insight's Hamilton says. Publicly traded companies, in particular, have little leeway in cutting the costs associated with some regulations.

"You cannot neglect things like governance," he tells Dark Reading, "and you have to make sure your compliance is being met every year."