A recent study found that almost half of organizations are planning to reduce their cybersecurity headcounts. This comes even as cybersecurity incidents continue to escalate in number and severity each year.
It isn’t surprising that organizations feel the need to tighten their belts. Cybersecurity personnel are in high demand, and few are available. If you happen to have a good one and you want to keep them around, they’ll command a hefty salary. As the demand increases within the industry, so does their cost. At some point, you may be paying your cybersecurity staff more than you can justify.
On top of that, federal interest rates and the general state of the economy have companies reducing their spending and cutting expenses wherever possible. Usually that includes the largest cost center: personnel. Some companies are instituting hiring freezes and others are downsizing their workforce. Cybersecurity is just one of many business areas being impacted by the economy.
As understandable as downsizing is, that doesn’t mean it’s a good idea to simply cut your cybersecurity staff and move on. Cybersecurity is the fortification around your castle. Eliminating your staff without a plan is like emptying the moat and lowering the drawbridge.
While you may not have a choice about reducing your security headcount, there’s a right way to do it, and plenty of wrong ways.
Considerations Before Cutting Personnel
In any organization, you have several realms you need to protect: your production environment, remote personnel, various offices and headquarters, and more. There’s a lot of scope that needs some form of security attention.
All sorts of elements are involved within those realms, including:
- Outsourced cloud infrastructure devices
- Hardware devices
- Virtual and physical servers
- Workstations
- Printers and other devices on your various networks
That’s a broad spectrum of stuff to pay attention to, and it’s difficult to combine all of the various reporting and detection mechanisms. You have a plethora of tools that need to work together to monitor and protect your entire environment.
Unfortunately, many companies struggle to integrate those tools in a compact, efficient, effective manner. As a result, inefficiencies and gaps enter your cybersecurity portfolio. Not only do you have sluggish and redundant processes, you have blindspots that leave you vulnerable.
When you’re considering reducing your cybersecurity personnel, you have to account for all of these elements that are in play. How will you not only maintain what you have, but fix the deficiencies already present in your environment?
How to Reduce Security Headcount Wisely
What should you do if your organization needs to reduce your cybersecurity personnel? I recommend taking a two-pronged approach.
Find security tools that let you do more with less
Most organizations have a security tool problem. They usually have at least one of the following issues:
- Multiple tools in place performing the same functions
- Security gaps that no tools are covering
- Misconfigured tools
- Lack of cohesion between multiple tools
Often I see all of these issues in the same organization.
Having misconfigured tools and unfilled gaps means that your organization isn’t as protected as you might think. Likewise, redundant systems don’t provide double the coverage — they just slow down your network, reducing productivity across the organization. You’re also spending more than you need to on the tools you have and what it takes to maintain them.
If you’re going to reduce your security personnel, it’s imperative that you get the right security tools in place, and configured correctly, beforehand. Find tools that let you do more with less.
Hire a fractional cybersecurity consulting firm
Hire an outsourced security and compliance consultant on a fractional basis, who can help you meet your organization’s ongoing security needs far more cost effectively. A fractional consulting firm can help you understand your current requirements for security and compliance, identify the gaps, provide expert guidance for remediation, and advise you how to move forward in the right direction.
They will also assist your organization with migrating from identified GAP resolution into a state where you’re taking a proactive stance toward your cybersecurity.
With a fractional security consultant, you get the full expertise of one or more seasoned security professionals at an affordable cost.
Don’t Eliminate Your Security Staff
You may be able to reduce your security personnel, but it would be foolish to eliminate them altogether. You will have security incidents, and you’ll need someone to handle them efficiently and competently.
You also need the right tools in place, and that means having staff who can manage and monitor those tools. There will be organizational changes that will require security boots on the ground to support other internal teams.
Even if you’re outsourcing your security monitoring, you need an internal team that can be the connection point between your company and those outsourced services. You need someone who can understand how to handle issues, how to prioritize them, and what to do after an issue is resolved.
Your IT personnel don’t have the proficiency for that kind of work — you need someone with some kind of cybersecurity background. Completely eliminating all of your cybersecurity personnel would be a very bad move.
Don’t Rush Your Security Staff Cuts
Before you make personnel cuts, take the necessary time to make very careful decisions. Your goal is to strengthen your company’s financial position, not to put the entire company at risk by weakening its security stance.
While you still have all of these security personnel at your organization, leverage them to do things like finding tools that will work with your environment and perform the functions your company needs. Use them to source quality vendors you can count on.
There are many factors that will come into play when hiring a fractional consultant and finding the right tool sets. It’s not like purchasing a commodity solution — you aren’t buying a hammer. The tools and consultants you choose aren’t like all the other tools and consultants out there. There’s a lot of variability, and each one excels in its own certain areas.
Rely on your internal cybersecurity personnel, while you still have them, to establish the suite of tools to meet the needs of your particular organization. This evaluation process will take time. It won’t be a matter of weeks, but months.
Once your team has identified the right tools, there’s also the implementation and seasoning of the tools. The entire effort, from start to finish, could take a couple of years until you have everything in place, dialed up, and running smoothly.
Successful Security Downsizing
If your company is thinking about reducing your cybersecurity headcount, you should consider very carefully how you do it and what that process looks like. Do it too quickly and you’ll likely put your organization at substantial risk as a result.
TCT has the personnel and the technology to help your organization do more with less. We can provide fractional consulting services, and we have compliance management software that can help you save thousands of dollars per year — with less manual time and effort.
For the record, licensing for the TCT Portal (the compliance management software) can be performed standalone, or in combination with consulting services, depending on the needs of your organization.
If you need to reduce your security personnel this year, let’s talk about the right strategy for your company.