Security Chiefs Trim the Fat as Budgets Bite

Cyber teams are looking to do more with less in an uncertain economy

The RSA Conference in San Francisco, held in April, showcased a spectrum of cybersecurity providers. Security chiefs say they are looking to downsize the number of vendors they use and cut costs as they confront slimmer budgets.

Photo: RSA CONFERENCE

Security chiefs are looking for ways to cut costs and run operations more efficiently as broader economic difficulties cut into budgets and resources.

High-profile hacks, new regulations focused on digital defenses and a greater understanding of the damage that attacks can cause have elevated cybersecurity to a core business risk. As a result, chief information security officers and chief information officers have spent big on cyber tools and services.

That is starting to change.

Analysts sometimes claim that cyber is immune to wider budget cuts facing companies in light of a troubled economic climate, but the reality on the ground is different, security chiefs say. While many CISOs haven’t experienced the degree of belt-tightening seen by other corporate departments, such as sales and marketing or even technology units, they are often being asked to do more with the resources they have.

A sour economy can erode the security budget even without an order to curb spending, said John Scrimsher, CISO at Kontoor Brands, the company that makes Wrangler and Lee jeans. 

Cybersecurity is typically a portion of the overall technology budget, which itself is a percentage of revenue, Scrimsher said. “If the economy is down and revenue is down, then IT and cyber budgets are down,” he said. 

This, in turn, has invited greater scrutiny of how security money is being spent, and in some ways forced security chiefs to reckon with uncomfortable truths.

“Even in a good economy, people are trying to grow the business, that’s what they want to put their funds into. Security may be important, but security doesn’t make revenue,” said William Lidster, CISO at automotive insurer AAA Washington.

Security providers say conversations around contract renewals and selling products are becoming difficult, and they must be flexible with customers. Chief financial officers and board members are now more involved, and projects that might have been approved easily in past years face rockier prospects.

David Obstler, chief financial officer of Datadog, which provides cloud security monitoring, said on an earnings call this month the company renegotiated a subscription contract with a large customer in the cryptocurrency business. What was a $65 million upfront payment is now several smaller installments, Obstler said. 

CIOs and CISOs are taking longer to make buying decisions, say big cybersecurity players Palo Alto Networks and CrowdStrike.

Annual recurring revenue for CrowdStrike’s fiscal year is expected to be “flat to very modestly up,” CFO Burt Podbere told financial analysts in March, “given increased budget scrutiny and elongated sales cycles.”

“We’ve seen some projects get delayed or descoped, none canceled, while most continue on track,” Nikesh Arora, chief executive of Palo Alto Networks, said on a February earnings call. Economic uncertainties, he said, are “creating more conversations around payment terms, discounts and scope of the deal with purchasing teams.” 

The scrutiny on budgets is extending to suppliers, some of which are experiencing funding challenges and consolidation, said Barry Mainz, chief executive of cybersecurity company Forescout Technologies. He said clients have requested information on his company’s financial health, and some want to speak with his CFO.

“I haven’t heard that for a while—maybe back in 2008 to 2009 we had that,” he said, referring to the financial crisis. “Companies that are looking to invest heavily want to make sure that there’s some sort of financial stability.”

For security chiefs, who may have dozens of vendors handling everything from firewalls to email security, cutting the number of expensive services they use is a key consideration. Some are also looking at how automated technologies can be implemented to free up human resources.

AAA Washington’s Lidster said his company used to have three or four specialists engaged full-time in threat hunting, or combing through network logs to look for suspicious activity. Often, he said, these highly skilled employees wouldn’t even know what they were looking for until they found it.

The company has deployed machine-learning programs to take on that work, freeing up staff for more complex tasks, such as analyzing the efficacy of the company’s security program and where they need to make changes.

Security chiefs looking to make do should also cull cyber tools that have fallen into disuse or aren’t as valuable as they once were, said Scrimsher of Kontoor Brands. “Make cuts in the least risky way possible,” he said. “If there’s a great tool that gives you visibility into something but you haven’t used that visibility for five years, do you really need to spend $20,000 a year on it?”

Write to James Rundle at james.rundle@wsj.com and Kim S. Nash at kim.nash@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

Appeared in the May 23, 2023, print edition as 'Security Chiefs Move to Trim the Fat.'