This article was originally published by Brilliance Security Magazine, view here.
By Ray Steen, CSO at MainSpring
Small businesses spend a lot of money upkeeping legacy IT architecture because they’re afraid to pull the trigger on costly upgrades – 79% of businesses are behind on IT transformation, leading to operational inefficiencies, security vulnerabilities, and higher costs over the long term.
Meanwhile, those same organizations are also spending thousands of dollars on SaaS tools they don’t use, diverting funds from IT security while generating attack surfaces for malicious actors. Ultimately, the root cause of both problems is a lack of IT and cybersecurity leadership driven by a talent gap, wage inflation, and high turnover for IT roles.
Why an ad hoc approach to IT security is wasteful
Aside from the fact that legacy architecture is more likely to fail, it’s also less likely to be maintained by vendors with software updates to patch zero days, software supply chain breaches, and other critical vulnerabilities. Older equipment is also better understood by cyber actors, who specifically seek out victims based on the type of systems they are using.
The best way to create a waste-free security budget
Security budgeting is all about setting priorities based on an organization’s mission and the evolving threat landscape – this keeps spending low while achieving maximum impact. All businesses should begin by building a cyber resilience plan that will maintain mission-critical operations in the midst of a ransomware attack, data breach, or another disruptive event. From there, they can move on to hardening their internal networks and sensitive data first – less critical assets second.
Security impacts everyone who depends on IT, from sales and marketing to operations and finances. All should be consulted – but determining where to allocate the most resources requires a combination of business and IT expertise, which can be difficult to find.
Organizations can supplement their internal talent through managed service providers (MSPs) and outsourced IT roles like a virtual chief information officer (vCIO), who can help decision-makers to understand the intersection between cybersecurity and their long-term, strategic goals.
Involve key stakeholders in creating the IT security budget
The right way to save money on IT security can be far from obvious: a costly investment may bring long-term benefits, and a seemingly necessary one may turn out to be unnecessary on further inspection. Sometimes eliminating unnecessary expenses comes down to upgrading legacy equipment; sometimes, it comes down to negotiating a better deal with your vendor; other times it comes down to using existing tools in a smarter way rather than investing in a new one. To recognize these situations and handle them appropriately, there’s no substitute for competent IT leadership and expertise.