We can all agree that, on paper, it's a gloomy scene right now — an economy-stunning pandemic and now global civil unrest. Is it any wonder businesses the world over are tightening the purse strings? Gartner estimates a $6.7 billion overall decrease in spending for software and services for 2020. Forrester is echoing forecasts of spending pauses. If you're a professional facing a freeze against key security projects and hires, you need to arm yourself with persuasive arguments that benefit the bean counters.
Whether you're an information security-focused entrepreneur like me or a cybersecurity specialist, drastic reductions in spending in the sector should give you pause. The twin crises of a pandemic and global civil unrest represent fertile ground for bad actors. A sudden remote workforce due to COVID-19 is putting everyone's information security to the test, while global unrest brings with it the threat of physical as well as cyber-risk. In the race to meet ever-expanding security demands, it has never been more important for business continuity to take a holistic approach to your budget.
But you're a cybersecurity professional. This shouldn't be news to you. The real conversation to be had is how to make a business case that leaves no room for doubt that your projects are a resource priority within your organization. When you're influencing budget decisions around cybersecurity spending, there are several gears to shift.
- Revisit your asset portfolio and risk assessment: We're experiencing unprecedented and growing levels of risk. Online threats have increased sixfold since the pandemic began, with phishing attempts soaring by more than 600% since the end of February. The World Health Organization has reported a fivefold increase in cyberattacks in recent months. Without a robust and joined-up approach to information security in place, you'll be open to supply chain disruption and reputational damage. Nobody needs that given the ambiguity of our current times.
- Acknowledge the value of your talent: ISC.org suggests a supply gap of nearly 3 million cybersecurity positions. These folks are in demand and hard to retain. If they walk, their knowledge goes, too. A continued, dedicated investment in information security retains talent. A commitment to the highest possible global independent standard proves you're serious about what drives them and protecting their professional reputations as well as your data.
- Spot the opportunity: Your organization needs to focus on growth as well as threat protection. While piecemeal investments in operational security might keep daily threats at bay, they don't contribute to the growth of the business. Buyers are more nervous than ever, and information management protocols based on recognized standards from organizations such as the International Organization for Standardization and the National Institute of Standards and Technology will likely give your organization an advantage when competing for business.
When pitching for your security budget, leverage support from those within your organization — as well as customers, partners, and supply chain — who'll see the benefit. Your public relations department will appreciate a positioning "good news" story, particularly if a competitor or player in your vertical has experienced a recent breach. Your colleagues in sales will always welcome additional selling points, like being able to demonstrate certainty around processing customer data.
Arm your CFO with a solid business case that he or she can confidently present in your absence. A respectable forecast against spending never fails to influence decision-makers in the right direction. Like most entrepreneurs, I've learned lessons the hard way, burning through money on poorly considered projects, wasting time, and investing in old ways of doing information security management that actually slowed growth.
One of the most valuable lessons I learned through hard experience is to apply a zero-based budget view for any proposed activity. This is still the approach my growing team takes when recommending spending decisions within our business and supply chain. It ensures we're continually interrogating our return on investment, ensuring, in turn, that our operational expenditure remains lean and effective.
We all know there are slippery conditions ahead, which is why now is the time for organizations to maintain and even increase their spending on cybersecurity, where that investment shows the return. Effective control and collaboration within your supply chain reduces risk and overall cost while improving business continuity and resilience. Those who make considered spending choices now will steer into the skid and find themselves ahead of the pack as they emerge into the new normal and beyond.