Cutting Business Expenses Shouldn’t Include Cybersecurity

The COVID-19 pandemic no doubt is increasing strain on organizations’ budgets, but cutting business expenses shouldn’t include cybersecurity.

A new PwC survey of more than 300 U.S. finance leaders reveals the financial measures top U.S. business leaders are evaluating to minimize and manage business impact, including cutting business expenses.

More than half are considering deferring or canceling planned investments. Of planned initiatives, 2% are considering cybersecurity and privacy budget cuts, while 53% are looking at reduced IT spend.

Twenty-five percent may scale back digital transformation initiatives. This is surprising given the number of businesses forced to expedite remote working connections and capabilities over the last month.

Security budgets are being impacted by both the COVID-19 pandemic and budget cuts in several ways, said Bob Layton, Digital Defense‘s CRO.

Digital Defense’s Bob Layton

“IT budgets are based upon a percentage of revenue and corporate forecasts are unclear right now,” he said. “The work from home (WFH) necessity is re-prioritizing IT budget dollars toward infrastructure purchases to just keep running. Evaluation of public and private clouds for simple connectivity and scale are hot discussion topics. “

The end-user experience of WFH is pushing security to the second or third priority, Layton said. Channel checks and surveying of Digital Defense’s top customers shows security is still a priority and spending is steady. However the immediate priority is responding to home workers.

Once the workforce gets productive in the present environment, security will rocket right back to the top. This is likely a mid-Q2 bounce to watch for, Layton said.

Keyfactor’s Jordan Rackie

Jordan Rackie, CEO of Keyfactor, said these unusual and unprecedented business circumstances have created a “new level of cyber risk for companies building a new level of connectivity.”

“Many companies had some level of remote working infrastructure, but many others didn’t,” he said. “The mass and fast move to remote working environments meant that IT teams had to pivot quickly to get employees online and minimize operational downtime. What started as a short-term project now looks like a longer-term reality. ”

Security already was a continuous battle for every business, Rackie said. Now that companies are shifting to long-term remote working infrastructure, security is priority one, he said.

“More connections mean more risk — it’s as simple as that,” he said. “The natural knee-jerk response to an economic stall like this is to pare back budgets across the board, but the reality is that one expired certificate, one compromised connected device can cost more in downtime, lost revenue and brand value than any potential savings can produce.”

This crisis has overwhelmed IT and security teams managing onsite to offsite work transitions and security, Rackie said. Outsourced tools cost less than trying to recruit, hire, train and ramp up more in-house staff, he said.

“The pressure on IT teams is only going to grow as organizations build out their long-term remote infrastructure with new systems, applications and devices,” he said. “The problem is all those additions to the company’s environment to help remote workers cope adds new connections that can be compromised. All connections need to be tracked, managed and monitored continually to mitigate risks. The best path at this point is to do an audit, assess those connection points, and the tools and solutions you’ve got in place to manage them, then determine the best path forward that’s secure and cost effective.”

Businesses and cybersecurity executives are using this period to accelerate digital transformation, not scale it back, Rackie said. The key is managing and securing the new applications, systems and devices supporting digitization, he said.

“By no means should any company consider reductions in endpoint security, and identity and access management — their risk perimeter has just widened almost overnight,” he said. “If an organization has no other option but to cut their security budget, they need to make sure that any cuts are precise and reasoned. Eliminating or reducing security spend could open a number of security holes and compromise other systems in place that keep the network and assets secure.”

While cutting back isn’t ideal, it does provide an opportunity to evaluate the way they’re managing their security, Rackie said.

“The advice I’d offer to business leaders and CFOs is to resist the knee-jerk option to…