As IT budgets tighten, it’s time for a back to basics approach
Earlier this month (June 2020), Gartner revised its forecast for security spending in 2020. While estimates made in December 2019 suggested that security spending would grow 8.4% throughout 2020, that has now been significantly scaled back to 2.4%. This equates to roughly $123.8 billion being spent on IT security.
This isn’t that surprising in and of itself. As Gartner themselves highlight, this is a symptom of the economic devastation wrought by the Coronavirus pandemic. But it nevertheless underlines the fact that many organizations are now shifting how they think about IT spend, and cybersecurity spending in particular.
Indeed, the fact that Gartner’s adjustment comes at a time when security risks are particularly high should be a cause of concern for those across the industry. Thanks to the rise of remote working, and cybercriminals exploiting the anxiety and cycle of misinformation swirling around COVID-19 to launch a range of attacks, including phishing and ransomware, the global security of the world’s systems and data is currently very vulnerable.
While the budget squeeze is simply a reality that everyone has to deal with, there are undoubtedly a variety of approaches that could be taken. Some should be effective enough to mitigate the current wave of risks, but others could expose businesses to real danger at a time when everyone’s sense of precarity is feeling all too real.
However, if there’s one way that businesses can manage risk — both financial and technical — it’s by going back to basics. If the last 20 years of digital transformation have been as much an exercise in vendor lock-in, scope creep and empty solutionism as much as real, impactful innovation, it’s important that we use this time of pause and reflection to invest in what really matters.
Businesses need to be smarter with their IT budget
For businesses that are feeling the effects of the pandemic, understanding the ROI of your IT and security spend is critical. Finance departments will always take a forensic approach to management spend — it’s the responsibility of IT leaders and decision makers to make the case for investments. After all, if they don’t evangelize for a secure and reliable IT system, who else will?
Calculating ROI when it comes to cybersecurity is far from straightforward. Perhaps that’s why it so often gets overlooked. However, if ever there was a time to take cybersecurity ROI seriously, it’s now. Budgets are tight, threats are rising — the foundations are well set for a watertight and well-reasoned argument in favor of continued, or at least sensible, investment.
This isn’t a post about calculating IT ROI, but it’s nevertheless worth pointing out the key steps in measuring ROI. In the first instance, it’s important to gather data and intelligence on the ways in which IT is maintaining business as usual and helping to power growth.
Of course, there are a number of ways you could approach this, from simple productivity metrics to recognising the way in which data is helping to power marketing or sales efforts. In any case, what’s important is establishing value. By extension this can help IT leaders to also determine the impact of, say, a data breach or downtime.
Emphasise risk, not value
Once this is in place, the challenge is communicating value to senior stakeholders. Indeed, sometimes value is the wrong approach — in the context of cybersecurity investment, it’s more effective to make the case in terms of risk. “When cyberthreats are framed in terms of the impact that a successful breach would have on the business — lost customer data, compliance failures, interrupted systems, direct financial theft” as one writer puts it in TechRadar, “it is easier for the board to appreciate the ROI of preventing that threat, because it is working with a familiar lexicon.”
Entering into a dialogue with management and framing ROI in terms of risk, then, is essential for businesses, particularly during this period. Of course, any form of dialogue will likely require compromise. That’s fine — armed with intelligence and insight, it’s possible to protect critical parts of your IT spend, and potentially even drop elements that aren’t necessary. That’s useful at any time, pandemic or no pandemic — it’s not hard for IT spending to bloat and grow in scope in ways that no one had really intended.
Focus on the fundamentals
If compromise becomes necessary, it can be effectively managed with a straightforward philosophy: focus on the fundamentals. This will inevitably mean different things to different organizations, but there are a few elements that deserve attention — and investment.
Be mindful of what you’re purchasing
Working in software is exciting because there are so many innovations and solutions out there. The everything-as-a-service boom has allowed us to indulge on a smorgasbord of products, all ostensibly providing a ‘critical’ service.
Except in many cases, they’re not ‘critical’ at all. They might be useful, and maybe even impressive — but they’re probably not making a real impact on that ROI that everyone should be thinking about so intently. It’s sadly not uncommon to see organizations purchase credible, and well made products, only to sit on them as stakeholders wait for the ‘right moment’ to implement them — only that moment never comes along, and it just sits there, almost buried beneath a half formed plan and good intentions.
True, sometimes there might be benefits to this; having tools in your back pocket can be pretty useful. But now really isn’t the time. When budgets are tight and businesses are balanced in precarious positions, it’s important that IT decision makers take responsibility that money is spent wisely. It’s not just about IT — it’s about protecting people’s jobs, and ensuring that the business is as safe and sustainable as it can possibly be.
Defend your data
A significant proportion of cyber attacks are geared towards stealing — or ransoming — data. This is because, of course, data is valuable. From customers to financial information, it’s data that really matters to businesses. It’s not a complete stretch to suggest that software infrastructures are really just elaborate homes within which data lives, moves, evolves, and grows.
With this in mind, cybersecurity investment should always prioritize what can be done to keep data safe and secure. If data really is the new oil (and yes, that analogy annoys me as much as it probably annoys you), it’s time we started to treat it with a bit more respect and care. Indeed, you could say we’ve progressed to a point where it has become apparent that data can be a liability as much as it is an asset — this is usually only realised when it is lost or stolen.
Focus on recovery
Recovery is perhaps the most critical aspect of intelligent cybersecurity spending. While preparation is rightly viewed as the first rule of effective cybersecurity, framing things with a focus on recovery and business continuity is useful because it prevents IT decision makers from getting caught in a negative cycle of minimizing risks. This is potentially costly and also stops you from focusing on the end goal — getting things up and running again.
This focus touches a number of elements: yes, it should guide how businesses procure and purchase software products, but it should also guide processes and people. No single piece of software can defend a complex, sophisticated business: to do that, we all need people.
Times are tough, but with the right focus we can protect what matters
The perception of IT teams as hidden, antisocial corners of businesses has had to change dramatically in the last few years. It has become clear that a good IT team — and an effective IT strategy — will empower and protect people inside and outside an organization.
At this time, when budgets are tightening and business leaders start to fret about sustainability and profitability, it falls to IT decision makers to focus on what really matters and invest in the things that are going to ensure we can all sail through these tumultuous waves to calmer waters.
Go back to basics with Macrium. Protect your data with simple, powerful backup.