Cybersecurity spending: fulfil priorities with leaner resources

In a post-COVID-19 world, where entire chunks of our lives have moved online, cybersecurity is more critical than ever. One of the impacts of the coronavirus pandemic is to make cybersecurity spending unpredictable. While the business environment has changed because of COVID-19, many of the challenges that companies face remain. The pandemic has also upended and hastened the pre-existent digital transformation. Such uncertainties and complexity also cause ‘CISO fatigue’, a general discouragement amongst CISOs and information security leaders who see their challenges pile up and their strength depleted.

Recent discussions with cybersecurity leaders suggest they fear significant budget and staff cuts. Such anticipated grim picture makes it harder to face the top two challenges for business today, namely the complexity of technological environments and a lack of skilled cybersecurity professionals. How to fulfil these two priorities with leaner resources?

Those recent discussions also surface an interesting view: bug bounty answers more questions than we suspect, way beyond the quotidian operational ones. So, we devise a structured list of recommendations to pinpoint actions to help achieve the two cybersecurity priorities.

Below, we set out the engagement approaches and process changes that CISOs have found useful in defining priorities and ways to fulfil them with leaner budgets.

Recent numbers suggest companies anywhere from 7.2 per cent to 15.2 per cent of their IT budgets on cybersecurity in any given year. These figures reflect specific changes in cyber spend—IT costs have shifted from CapEx (i.e. expenses on fixed assets) to OpEx (i.e. expenses on day-to-day operations, the “run”). In such contexts, cutting IT–thus, security–spend gets truly challenging.

Whether those figures tell the whole story is a different question though. Defining the cybersecurity budget as a part of the IT budget is not a universal rule. A significant portion of security spending occurs within business lines. Those need specific digital tools; risk management and data security are thus baked into the purchasing process business lines follow.

Cybersecurity budgets are thus a more vivid landscape than the mere proportion of an organisation’s IT expenditure. The operating models of post-COVID-19 security spending focus on prioritising a business-centric, process-driven and transparent allocation of resources. Such an alignment is natural: at the end of the day, CISOs only dispose of finite resources, so they need to decide what project gets priority depending on the business’s pressing needs.

Accordingly, security technology and service providers also shift priorities to support current needs: business continuity, remote work and planning for the transition to the next normal. Rationalising and optimising cybersecurity expenditure, thus demands transparency and efficiency. New models such as pay-per-usage (e.g. Splunk) or pay-per-vulnerability (bug bounty) are in the spotlight and offer a direct and measurable ROI.

Those come with no hidden costs: running bug bounty programs means that clients pay for information worthwhile according to their priorities. The approach also succeeds because CISOs do not handle a myriad of full-blown projects; e.g. a penetration test comes with planning strings attached: kick-offs, milestones, presentation meeting, etc.

“Since we launched our Bug Bounty program, we’ve upped our security game: we found new vulnerabilities. We were able to fix them, and the level of security on these applications is now a cut above. Ultimately, that’s what a CISO should be aiming for: not just compliance, but enhanced security.“

The CISO of a major European financial institution

Bug bounty thus rationalises the security audit spending and focuses it on what matters–aligning costs to core business risk management. Our discussions with cybersecurity leaders also highlight that leveraging crowdsourced security reduces ‘CISO fatigue’. The latter mainly results from a corrosive environment of misalignment between cybersecurity spending and the enterprise’s strategic objectives, friction with business partners and skill deficiency.

Our discussions with CISOs and cybersecurity leaders surface that crowdsourced security diversifies the available talent pool and leverages these additional roles. Bringing in new, complementary skills through collaboration between ethical hackers and relevant colleagues helps to create ‘unicorn teams’. Thus, a combination of individuals forms a sustainable team, one that can fulfil cybersecurity priorities on budget.

A more effective team is visible to management—showcasing performance gets more accessible, too. A long-lived, pain-staking topic when defending a security budget is how well the money is spent. Resource allocation decisions, both past and present, are much easier to uphold when evidence and transparency support them: that many vulnerabilities were identified, these many were fixed. Such a candid yet confident approach strengthens interactions with management and offers concrete opportunities for stakeholder input.

As businesses expand their digital assets, cybersecurity faces intensified competition for time and expertise. Similarly, scrutiny into cyber resource allocation decisions heightens. In response, CISOs must explore more business-centric, process-driven and transparent approaches. Those security leaders prioritise resources for their enterprise’s most urgent needs.

To meet this challenge, CISOs must modernise their portfolio prioritisation processes and focus on enabling security dexterity. In a context where security budgets can be challenged, it is vital to show value to business lines by offering practical solutions. The current troublesome context is precisely the opportunity to think out of the box. Now is the time for cybersecurity leaders to show an ability to innovate as a way to stand up to the broader COVID-19-accelerated digital transformation.

Such an outlook seems easier said than done. The good news is: it is achievable. The better news: it is achievable thanks to bug bounty. As far as expertise goes, the latter brings about the realistic exploration of a technology by a vast crowd of ethical hackers, each with their unique point of view.

Besides, through its security-as-a-service approach, bug bounty also optimises vendor management. Forget about the range of penetration testing providers, each with their processes and deliverables, making CISOs and security managers dedicate a significant amount of time coordinating and consolidating the heterogeneous outputs. Bug bounty streamlines vulnerability management and decreases operational costs by reducing the number of vendors CISOs deal with.

✅ Bug bounty programs rationalise the security audit spending and focus it on what matters–aligning costs to core business risk management.

✅ Crowdsourced security makes cyber spend more transparent and enables (management) measurement of the CISO effort.

✅ Bug bounty powers tomorrow’s leader’s digital dexterity by creating a ‘unicorn team’ that fulfils the cybersecurity priorities on budget.