• Blog
  • CISO Corner

How to Financially Prep Your Cloud Security Strategy for 2023

Published:

Dec 28, 2022

Reading time:

7 Minutes

TLDR:
  • As the financial climate has started to shift these past several months, it’s important to have an intentional strategy as 2023 security program planning is underway.
  • In this blog post, we explore 3 different scenarios your company may be facing: budget tightening, business as usual, or more funding. Each situation will require different approaches.
  • Regardless of your organization’s financial situation, year end/the start of a new year offers the opportunity to reevaluate how you’re spending funds to keep your company secure.

It’s that time of year, when the imminent turning of the Gregorian year triggers all of our content calendars to say “it’s time for our prediction posts.” The reality, of course, is that most predictions are just gently recycled from a prior year, maybe with some buzzwords scrubbed out and replaced, because who really wants to forecast amazing crypto outcomes in the wake of FTX?

Last year, we changed it up a bit, with some anti-guidance in the form of what strategies to avoid in 2022. That was a fun project to curate, because everyone loves to tell you what not to do.  I went back through those items, and I think they hold up well, so I’m not going to recycle that post – just read it again. If you’re looking for insights into trending risks or cloud predictions, check out those links to see what our research pod and CEO have to say. This post is themed around budget and project planning for the next year, especially in the face of shifting economic uncertainties.

Cloud security budget cuts? Before you tighten your belt, first loosen your load.

For a lot of businesses, budgets are being curtailed for next year. Perhaps you’re a startup that is trying to stretch your existing cash because your next round is a little more uncertain. Maybe your business is adversely impacted by economic conditions, and everyone needs to pitch in. You should look at your budget with an eye to deferring or eliminating costs that you can’t easily justify.

What to do: Look at every project, process, and tool in your arsenal, and ask one simple question: if we stopped doing this, what would really happen? You might find some things you’re doing that are surprisingly expensive for surprisingly little value, and you can find room in your budget by eliminating – or at least minimizing – how much you’re investing there. 

What not to do: Start multi-year projects with little upside in the near term. If you can’t explain how the first phase of the project will make you safer in the coming year, don’t burn your energy and political capital.

How to gamble: A lot of vendors will give you free trials which you can use to conduct quick risk assessments. Use this opportunity to get some insight into imminent compromises you might have in your environment. Usually, this will give you some quick opportunities for when your budget does loosen up, although, very occasionally, you’ll find a risk big enough that the business might choose to invest in mitigations. Evaluate your existing vendors to see if you can find a more powerful alternative at a comparable investment.  You can quickly evaluate how Orca Security compares to your other options in cloud security.

Cloud budget allocation staying steady? Keep your eye on the prize. 

If your business is doing well, perhaps your budget is relatively flat. If so, you might not have a deep inspection coming your way (yet), but you can still take this opportunity to prepare for the future.

What to do: First, check out the advice for belt-tightening businesses, as you can take advantage of the strategies there. But in a year where you’re not under close inspection (you aren’t expected to deliver on a grand project, nor are you being closely watched to find extra savings), you can focus on creating your own surplus. Look at all of your security programs, and identify opportunities for efficiency gains. If you’ve got too much of your Ops staff dealing with false positives out of your security tools, this might be an opportunity to improve your tooling or playbooks. Alternately, start laying the groundwork for your big initiatives in 2024. Socialize the strategic challenges that the business needs to face. Don’t oversell them (you’re not looking for the budget now), but make sure your stakeholders have them in the back of their minds as needs that you’re wisely deferring this year… but can’t defer forever.

What not to do: Just business as usual. It can be tempting to breathe a sigh of relief that you dodged a slashed budget, and just keep operating like you always have. This is your opportunity to improve at your own pace, and everyone around you is going to notice if you pass on that opportunity.

How to gamble: Take a look at your existing processes, especially the ones that use technology to drive them.  Can you go deeper or broader? Are there capabilities that you aren’t taking advantage of yet, which you could use without needing additional deployments? Driving greater benefits out of existing capabilities can be a big win.

Increased cloud security budget? Think big.

Maybe you have one of the lucky security programs that is seeing greater investment.  A security breach, a shift in focus, or growing maturity might be driving greater investment – and greater attention – to your security outcomes.

What to do: Think holistically. You’re going to want a combination of quick wins that provide visible improvements in the next year, as well as capabilities that will continue to bear fruit for years to come. Often, you can get both outcomes from technology platforms that provide a number of capabilities across a specific domain.

What not to do: Ignore whole swathes of your business. It can be tempting to let sleeping dogs lie, but if your company has been moving into new areas without your attention (perhaps a shadow cloud program has been underway), you’re going to need to wrap your hands around those challenges. Even if you don’t think you have enough budget to solve all of your problems, your executive peers aren’t going to want to hear that you didn’t have enough money when your budget just grew.  Rather than spreading your budget thin, focus on securing the areas that are going to propel your business into the future: cloud, data science, or whatever your company has placed its big bets on.

How to gamble: Can you free up people with technology? Your biggest constraint is likely skilled and knowledgeable staff, so the more you can replace your existing people with tools that do most of their work, the quicker you can jump start new projects with people you don’t have to onboard. Even if you can’t fully replace a senior contributor, maybe you can offload enough work to hire a more junior person to backfill them while you move them to a new program.

Put inertia to work

Whichever financial situation you’re in, inertia can either be your foe or friend. If you don’t make the changes you need now, you’ll spend 2023 just doing more of the same you did in 2022. Maybe that’s what your company really needs. If not, the choice is yours.

I invite you to join me for a webinar where I’ll go more in-depth on these concepts; register today to get information on how to adapt your security budget for the new year to help your organization thrive! 

Andy Ellis is the Advisory CISO at Orca Security, and 2021 Inductee into the CSO Hall of Fame. He is an Operating Partner at YL Ventures, and was formerly a US Air Force officer and the CSO at Akamai Technologies. You can find him on Twitter at @csoandy.