As a veteran CISO for state and local agencies, Orange County CISO Andrew Alipanah knows how to optimize security functions within impossibly tight budgets. In the past, while at the City of Riverside, he utilized the covered and subsidized resources through federally sponsored agencies including CISA (Cyber Security and Infrastructure Security Agency), MITRE, the MS-ISAC (Multi-state Information Sharing and Analysis Center), and others.
But many of those resources disappeared this year when the US Federal Government slashed budgets for these once free resources. That meant he needed to get even more creative in supporting the cybersecurity function while spending less. To that end, he (along with other CISOs interviewed for this story), focuses on nurturing people and streamlining processes rather than throwing new money at technology.
1. Maximize resources
According to ISACA’s State of Cybersecurity 2024 and Beyond Survey, more than 50% of cyber security professionals said their security operations are underfunded, even as threats continue to rise and hiring has stalled.
“There’s little likelihood of getting new tools with how budgets look today, so you have to invent ways of saving money and getting more out of your existing resources,” Alipanah tells CSO. “When it comes to resources, most people talk about tools. But organizations don’t pay enough attention to people and processes.”
This was the case when the federal government pulled funding for the Multi-State ISACS, a resource he and other county agencies came to rely on. “When the Center for Internet Security (CIS), which manages MS-ISAC, announced that every agency has to pay this membership for themselves, we asked the state to buy the membership and put the counties and cities under a single state membership,” Alipanah explains. The state did, and it saved these agencies what he says is millions without raising costs for the state. In particular, the County of Orange saved $26,000 a year in membership fees.
In another example, Alipanah describes how people, processes and technologies all came together when the county’s CISOs worked together to consolidate various types of EDR products into a single brand of EDR. Of the county’s 26 departments, 18 of them consolidated on one EDR product. The resulting savings were dramatic: more unified response and visibility across county systems, streamlined management, volume discounts, and reduced need for specialized skills.
“You can create alliances, mutual support agreements, and larger bargaining units to negotiate better deals,” Alipanah adds. “We work on skills, policies and procedures, perfect them, and also hone the tools we do have.”
Lynn Cheramie, departmental CISO for Orange County District Attorney’s Office, works with Alipanah along with the county’s other CISO’s on these and other innovative, cost-saving initiatives. Cheramie describes Alipanah as an “influential leader,” which he says is essential to getting more done with less. This particularly applies to closing the gaps between silos and leveraging existing manpower.
2. Focus on people and processes
“Teamwork and influential leadership are pivotal in Orange County. We work side-by-side as extensions across our departments. We can’t all do everything, and we don’t want to reinvent the wheel. We shoulder the burden together, revisit existing initiatives, and reduce that tech debt,” Cheramie explains. “That’s how you do more with less: step in when there’s a lot to do, be of service to each other and to the county.”
This extends to all levels of staffing — the most valuable resource to retain and upskill in tight times. To that point, fractional CISO Dd Budiharto, founder and CEO of Cyber Point Advisory, says retaining and upskilling human resources should take precedence over buying new technology. This, she adds, is a key way to do more with less.
For example, in a past CISO role, Budiharto recruited incident response “ambassadors” from different departments — communication, legal, procurement, human resources, and accounting. “They loved it because they learned new skills and were part of something big,” she notes. “And, when we were hit with a BEC scam, they were right there, trained and ready to step in. They were very efficient and energized. Now that’s some ROI we’re talking about.”
In another case, she trained the procurement team to ask a list of fundamental cybersecurity questions of potential new vendors, saving valuable time for the security team by pre-vetting them. Often, these cross-trained people become security champions, Budiharto adds. Some even decide to expand their experience into cybersecurity. And new minds with fresh ideas also invigorate the security function and usher in innovation.
According to the latest cybersecurity workforce study report conducted by ISC2, the majority of more than 15,000 organizations surveyed said they lack the talent they need to meet their cybersecurity priorities, even as their organizations cut back on hiring. The report also cites the value of diverse backgrounds and pathways into the cybersecurity operation.
To that end, Michael Manrod, CISO of Grand Canyon University, utilizes student interns to augment the cybersecurity staff, the majority of whom stay on after graduation. “If you intern a lot of people and keep some of the great ones, you can have an exceptional team. Our top performers today were our students seven to ten years ago,” he says. “Dipping into internal talent pipelines is always less expensive than entering bidding wars for specific skills.”
3. Clean house
Manrod is also big on what he calls “garbage collection.” He and his team regularly visit their technology contracts to identify and remove tools that are no longer needed or effective. They pay particular attention to solutions acquired years earlier to solve a problem that might not exist anymore, or which is now covered under other platforms and operating systems in their environment.
“At an EDU, I need to be very selective in what products I keep and what I acquire. So, I keep an eye out for products I can get rid of in 2025 to pay for reducing new threats in 2026,” Manrod explains. “Instead of just throwing a bunch of new point products into the mix, we look at how to harden the host. Assuming that there will be a chance for some bad things to get through, we look at how we can block those bad things using out of the box configurations like Windows Defender Application Control (WDAC), or host firewall rules.”
Recently, Manrod’s team decided not to renew an ID/IAM vendor contract after eight years with that vendor and instead utilize Microsoft Authenticator to support multi-factor authentication (MFA). However, with attackers finding new ways to get around MFA, they ended up adding a specialty product using the money saved to address new adversary tactics.
4. Augment with AI
As he cleans house and frees up more security operations budget, Manrod is set on securely enabling college-wide AI initiatives. Inversely, he and his team also use AI to improve efficiencies within the cybersecurity department.
For example, they are using approved AI chatbots to augment efficiency gaps, such as writing scripts to query the SIEM, analyzing threats across traversal paths, supplementing training, and for faster querying and answers to questions SOC analysts have. So, while Manrod and others say AI isn’t ready for prime time in SOC functions just yet, a trusted AI chatbot has already proven to save his staff time, freeing them up for other critical security functions.
“If we’re doing it right by supplementing the human to make them better, smarter, stronger, faster, and more capable by working alongside the chatbot, AI could be very productive,” he says. “But, a lot of AI application is done terribly. So that’s something we’re keeping an eye out for.”
5. Make it about governance
Tariffs are undoubtably impacting technology spending. So, identifying and cleaning out waste and overlapping processes and technology is an important cost-reduction step.
Spend More or Spend Better , a report published by advisory firm Alvarez & Marsal (A&M), encourages CISO’s to focus on efficiency and impact rather than just chasing bigger budgets. In a follow up interview with CSO, the report’s author, Lorenzo Grillo, who leads the firm’s Cyber Risk Services practice in Europe and Middle East, advises CISO’s to identify and eliminate wasteful spending, conduct gap analyses, and focus on process improvements that elevate security posture.
“In one of our recent cases, the organization had focused all the attention and budget on security solutions, leaving the company with significant weaknesses in governance and processes. The cyber cost optimization initiative led the company to an improved cybersecurity posture with a risk reduction below the company risk appetite,” Grillo notes. “Optimizing target operating models, roles and responsibilities, and cataloging services and technologies should improve the efficiency of the cybersecurity organization and mitigate cyber risk.”
No Responses