Cutting the Budget and Implications for Security and Risk
The organization spends a certain percentage of the budget on enterprise security and risk management (ESRM). However, due to a number of uncertainties, the organization may decide to cut its security expenditure. Cutting the budget implies allocating less resources to the organization’s security teams in combatting the rising security risks (Irwin, 2019). During the annual budget review, company executives should assess the impact on security risk mitigation services if ESRM expenditure is reduced by maybe 10%, 15%, or 20%.
In terms of security, reducing spending implies the organization is more susceptible to more physical security and cybersecurity intrusions (Allen, Loyear, & Noakes-Fry, 2017). Reduced security and increased intrusions raise the likelihood of sensitive corporate and client data being exposed to unauthorized persons, as well as the possibility of firm assets and financial value being lost (Caspi, 2019). Organizational executives should not compromise physical security and cybersecurity while lowering enterprise costs. Investing substantially and adequately in enterprise security simply helps the company to be very strict in implementing the ESRM plan, allowing it to structure, report, and analyze risks more effectively in the long term.
For security and risk executives, it is vital to plan for budget cuts, since not all companies are well-prepared for cutbacks or optimization measures, among others. It is critical for these executives to have a strategy to balance the cost reduction and improvement initiatives. The inability to have an effective plan for cost optimization to prepare the organization for the budget has an impact on the safety and security of all members of the organization (Wasko, 2020). For example, executives like CIOs and CISOs risk overlooking on potential opportunities to improve security and reduce risks if they focus solely on reducing costs rather than planning for how to optimize costs. On the part of employees, a low security budget can cause the organization to have inadequately staffed security teams and reduce employee training opportunities, denying them adequate institutional knowledge to deal with a security threat.