With government bodies across the globe wrestling to keep inflation under control and grumbles of recession growing louder, many businesses are set to face a period of considerable economic pressure.

To help weather the turbulence, businesses are scrambling to find ways to cut back on costs. And, naturally, as a large contributor to expenditure, technology budgets are coming under review.

With this in mind, TechRadar Pro spoke to CTOs from various industries, who highlighted the best areas of the technology stack to target for savings. In this edition, we focus on reining in the cost of the cybersecurity tools protecting your business, without giving them up outright.

 

Only consider tools that prevent against realistic threats

Cybersecurity threats to businesses are becoming more and more prevalent as businesses retain the online collaboration tools and cloud storage solutions they invested in at the height of the Covid-19 pandemic. 

While this is something to be wary of, it’s also important for business leaders to avoid investing in every new security tool, just because it might help if the company is struck by a relatively new attack, yet to see wide adoption by cyberattackers.

Mark Malecki, CTO at cyber resilience platform ISTARI, wants business leaders to consider the effectiveness of every security tool owned by the business in reducing risks, which can help with cost efficiency and streamline security stacks for the benefit of IT admins.

“As businesses compete in an arms race against hackers with new and more sophisticated attacks, anxious leaders tend to keep buying new tools to fight them off. Unfortunately, this can create complex digital risk management systems that organizations often fail to implement fully or manage properly. Yes, organizations need state-of-the-art tools to keep themselves secure, but their use should not unnecessarily complicate operations to the point of failure.”

“CTOs should evaluate how each tool reduces the most impactful business risks to their environment. Doing so might identify overlaps between capabilities. Conducting a cyber risk quantification analysis can also help to translate risk probabilities into financial terms, helping rationalise [investment in] corresponding cyber tools.”

 

Evaluate whether your security tools actually work

Malecki raises an important issue of the effectiveness of individual security tools, but it’s not just about cutting back on tools that overlap in the types of threats they protect, or threats that don’t pose considerable risks to businesses.

Patrick Foxhoven, Chief Innovation Officer at cloud cybersecurity company Zscaler, has suggested that business leaders often aren’t aware of the evolving nature of security software to keep up with threats. They’re also, he says, unaware of significant changes to Transport Layer Security (TLS), a long-standing method of encrypting internet traffic, that has rendered a lot of security software obsolete.

“C-suite executives are noticing parts of their security stack hasn’t generated a useful alert for a number of years. The reason for this is [TLS 1.3, the latest version] is making a lot of different categories of security technology blind to inspecting encrypted traffic. An example of technology that does not have a place in the security stack is anything that looks at traffic passively such as network intrusion, prevention, or detection systems. Today, it is impossible for some of this technology to do what it used to do and it cannot simply be replaced with a newer version.”

“If hardware is no longer doing its job because the whole environment has transformed, the answer is radical foundational change of network architecture. To save administrative costs and efforts and to address the infrastructure, organizations will benefit from implementing a platform-based model which focuses on the overall security posture.”

 

Invest in a managed security architecture

Offloading the oversight of a cybersecurity stack to another organization may seem counterintuitive in an article about cutting costs, but this could make sense if a business lacks cybersecurity expertise and isn’t looking to make an overcautious investment it might regret.

Paul Cragg, CTO at managed cybersecurity service NormCyber, suggests services could even benefit businesses that can afford to invest in top IT administration talent.

“Ditching a disjointed and manual, labour-intensive cyber strategy in favour of a managed service can be 70 percent cheaper than an in-house solution, and with the plethora of added-value services – such as 24/7 threat monitoring, staff training and even access to data protection lawyers – its rapid uptake among midsized organizations is not surprising.”

“Remember: your cybersecurity technology investments are only as good as the people and processes governing it. Joined-up thinking in these three areas can instil cyber resilience without breaking the bank.”

 

This article first appeared in Tech Radar.