Director of Strategy ,
Axis Security

I just got back from holiday and for the first time in 25+ years I’m coming back without the dread of what this time of year normally meant for me. Budgeting. For those that know, determining next year’s budget can be an extremely heavy burden to bear, especially for many CIO’s and CISO’s. 

There are so many questions that need answers before you can even start the budgeting process. How did last year’s budget go? Did the budget get cut during the year? Did this mean we didn’t get to do everything we had planned? How has the company done this year? Did we do well? How do we think it will go next year? Will my team get more to spend, the same or less? What do we want to do next year and what do we HAVE to do? Do we have the time and resources to look at new solutions or do we just have to keep the lights on? Where are the most critical risks? 

Budgeting for CIOs vs. CISOs

For the CIO, striking the balance between keeping the lights on and taking steps forward is difficult to get right. Each CIO wants to make a difference, wants to help users, wants to drive the business forward and influence success. CIOs must also ensure that all hardware and software is still under support, that staff are motivated, are well-trained, and are paid appropriately, while adhering to budget constraints. Prioritization becomes key as there are always going to be “have-to-do” projects and “want-to-do” projects. Nobody can do everything.

For the CISO things are a little different, security is (and will always be) top-of-mind. While CISOs need to support certain hardware/software services and ensure that proper risk levels are enforced, CISOs need to also be aware and focus on all the new risks that exist. An additional issue for the CISO is that they are responsible for all things security, but they do not directly manage the teams where the core risks exist. In some cases, they don’t even own their own budgets; they come under the IT budget.

The pandemic and the workforce moving outside of that old castle and moat architecture has created a huge challenge. This huge shift has made the CIO’s and CISO’s life so much harder. How do you protect users, devices and data that now can be anywhere? It has created so many new risks that both leaders need to be aware of. Add to this the situation in Ukraine, the global supply chain issues, and the talk of a pending global recession and things are not looking great for 2023 budgets.

How to Optimize Budgets and Avoid Pain While Doing It

I can’t help but ask myself, what would I do if I was still in the corporate world? How would I blend CIO and CISO budget requirements to optimize BOTH teams spend?

First things first,  keeping the lights on is always going to come first. Both CIOs and CISOs need to ensure that the security/networking/infrastructure/IT systems continue to function and keep the business running. Keeping the lights on also means ensuring your team is properly staffed, including all the salary, training and surrounding costs. Without great people it doesn’t matter how good your systems are, things will start to break. 

An area that is often underrated (and hardest to implement) is training those outside of IT about cybersecurity best practices. Some companies have started to do this with a yearly training program, however this might not be enough. Standards and best practices can change quickly with threats coming from all directions, so keeping cybersecurity reminders in front of users is essential.

Next, and what I believe to be the most critical, if it’s not already, I would ensure zero-trust was part of my strategy. If you are not already on this journey, you should be. There has been a lot of confusion in the market about what zero-trust is and is not. Is it a product type, a strategy or architecture? Lost in the marketing mess is how it can help businesses set a foundation for security in a cloud-based world.

When fighting for budgets, office politics can become an issue. Leaders need to  remember that the IT and security staff  are all on the same team. You fundamentally want the same thing. Many times I have seen fights for resource and budget between the CIO and CISO. This is destructive critical initiatives and the work environment for both IT and security teams. I believe the way forward is to align and go to the business with your core requirements, together as a united front.

So, where do you start the journey?

I would start with identity. As part of the SSE Forum series Breaking Down Zero-Trust, we interviewed the people who have been part of the zero-trust movement right from the beginning. They all stated that identity is key. Former Forrester lead zero trust analyst, Chase Cunningham, stated that he believes the easiest thimble to boil is identity and access management. He believes this to be counter to what most people think, but when you look at the data the biggest vulnerabilities out there are password reuse, compromised assets, logins and lack of multi-factor authentication (MFA). Those are the things he feels organizations can put in place today that will make things easier for their next steps in their zero-trust journey. If you have bad IM, the whole system is flawed. However, please don’t think identity is everything. It’s just the start.

VPN Replacement
VPN replacement would then be the next thing I would tackle. It’s the low hanging fruit. With so many people now working from anywhere, secure access to applications from outside of the corporate network is more critical than ever. 

Start with third parties and contractors’ access as legacy VPN connects them directly to the network. As we saw with the recent Uber breach where the attacker used the VPN to access a wide range of critical business systems, this is too big a risk in today’s world. I would implement an SSE solution that offers agentless access to a wide range of ports and protocols. This eliminates the hassle and costs of installing agents because users are only connected to the applications they need to access versus having full network access.

Enterprise Wide Zero-Trust
I would then move on to all of the remaining remote access users using the same SSE solution. This would enable me to fully replace my legacy VPN and not only save money on hardware replacements and support for those VPN concentrators and firewalls, but also significantly reduce the attack surface that these legacy devices create by publishing things to the internet. Moving to a zero-trust takes the employee off your network by delivering users just to the applications and not the network. 

Lastly I would continue the zero trust journey and implement my SSE solution on the LAN to ensure even those users based in an office are only connected to the applications they require access to. Zero means zero. Insiders and outsiders should be treated equally, with zero-trust. No matter who you are, you only gain access to resources you need to do your job, and these are delivered to you via a cloud-delivered service, keeping all users off the network entirely.  It is time to  go all in on zero-trust, reducing complexity and reducing the number of hardware assets.

Make Your Budget go Further in 2023 

It’s very likely that budgets will be tight for many companies during 2023. CIO’s and CISO’s are going to need to work together to ensure that the budgets they do have can be stretched as far as possible and not only keep the companies IT systems running, but to ensure they are secure. Work together. This is a joint battle. You are more likely to win together.

The world has changed; users, devices and data are now everywhere and this means that the IT mindset needs to change. No longer is the castle and moat architecture going to protect the company successfully. Now is the time to embrace the future and start the zero-trust journey, and there is no better place to start than with an SSE solution.