7 Ways to Maximize Your Security Dollars
Budget and resource constraints can make it hard for you to meet security requirements, but there are ways you can stretch your budget.
February 5, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltab5289ff73ad5d27/64f0da08c3efaecfccf0ec5c/01-costsavings.jpg?width=700&auto=webp&quality=80&disable=upscale)
Organizations are under growing pressure to extract more value from their IT security dollars.
Many have had to sharply increase their security spending in recent years to address new threats and meet compliance requirements. The proportion of the IT budget that is allocated to security has grown steadily at many organizations and now averages over 5.6%, according to Gartner. Some spend as much as 13% of their overall IT budget on security, the analyst firm has noted.
Gartner expects that businesses and governments worldwide will spend over $96 billion on cybersecurity this year compared to around $84 billion last year. Much of that spending is being driven by data breach concerns and attacks like the WannaCry and NotPetya pandemics of 2017.
"According to our quantitative research, over 40% of organizations are increasing their security spend against only 4% lowering it," says Daniel Kennedy, an analyst with 451 Research. "The most significant organizational change security teams are making is trying to add people, and having a hard time doing it because of a lack of available talent at certain salary levels."
Cutting security spending in the present threat landscape can be extremely challenging for most organizations. The question is about how to meet all your security requirements given budget and resource constraints, Kennedy says.
Here are seven tips for getting more from your security dollars:
Before spending money on new or more security tools make sure you are getting the most out of what you already have, says Roselle Safran, president of cybersecurity consultancy Rosint Labs. Often, businesses that buy new tools end up not utilizing them fully or exploring all the ways the technology can be used, says Safran, a former manager of cybersecurity ops at the Executive Office of the President during the Obama era.
Products keep getting enhanced all the time and a tool that you purchased a year or two ago for a specific purpose may now have the ability to do other things. So before shopping for new products make sure you are harnessing all the capabilities of what you already have. "Often, there are products that can cover several different tasks," she says. "Using all the capabilities that your products have is less expensive," than splurging on more tools. Optimizing product use can be a great money saver, she says.
Security skills are costly and extremely hard to come by. So make use of the team you have judiciously.
"Step back from your day to day, and look for opportunities to script, automate, outsource, and drop," says Kennedy. "Model your processes, and decide which ones benefit from human interaction, which ones are valuable but could still drive much of that value if partially or fully automated."
Eliminate roles that can be automated or outsourced, Safran says. For example, do you really need dedicated Tier 1 analysts to monitor for, review, and prioritize alerts when you can easily automate the task or outsource it, she says. Instead, train and put these analysts to better use in other roles, including potentially as Tier 2 and Tier 3 analysts, she says.
"One side benefit of eliminating positions that are tedious and boring is a lower turnover rate within your information security team. People given more challenging roles where they have an opportunity to add value, are less likely to bolt the first chance they get."
"Employees are actually one of our most powerful cybersecurity tools," says David Jordan, CISO at Virginia's Arlington County government. "If they don't click on things, it is very hard to invade our systems," he says.
Jordan's approach to the issue has been to implement an ongoing education and awareness campaign for employees via an internal website at the county government. In addition to giving end users information on topics like phishing and social engineering, the campaign focuses on topical issues as well like tax scams and National Privacy Day. Jordan has also been promoting the use of a tool that employees can embed within their email client and send a suspicious message directly to the security team with a single click, while also deleting it from their systems.
It's a lot cheaper having employees engage in the process than having to clean up after them, he says. "You don't always have pay to $50,000 a year to get your employees watch some boring video," when other approaches can work as well, Jordan says.
If you are judicious about how you use them, open source tools can address a lot of your security needs. With a little digging and research you can find open-source versions of many commonly used enterprise security products, including those with anti-malware, forensics, network packet analysis, and monitoring tools, says Safran.
In many cases, the tools work just as effectively as commercial products and can be an effective alternatives - especially for organizations that don't require much hand-holding and technical support.
"Decide where free and open source [applications] can play a role in your security program and operations" Kennedy says. If there is a viable open-source option available, make sure to get vendors to demonstrate why their value proposition justifies the cost when compared to the free, open-source alternative, he notes.
How you negotiate with vendors can have a big impact on security costs. To get the best deals, play vendors against each other, Kennedy says. "If you're looking to drive required third-party security capabilities at a lowered cost, don't be afraid to speak to multiple security vendors."
Don't be shy either of checking out smaller, but viable vendors and keep an eye on their sales cycles, he says. For instance, you might get a better deal on something you want from them by waiting for a sales quarter end. When negotiating with vendors, make sure you know all their delivery options. "Maybe there are cost savings using just a software or cloud-based service over hardware," he says.
Check if they are willing to lower their price if you'll provide a testimonial or provide recommendations to other customers. "Alternatively, is there is a vendor your company is already using that also offers the required security service, that could be slipped into a larger technology services contract at a reduced price?"
One way to cut costs is to look for opportunities to share them with others. Tools that serve multiple purposes outside the security team are one example, Kennedy says. "Can that log management solution work effectively as a resource for application developers, production support, and for the security team?" he asks.
The approach makes sense especially for small organizations that can benefit from modern security approaches but don't have the budget to support a dedicated capability, Jordan says. Small, local governments, for instance, can consider splitting the costs for hiring a CISO or security consultant and having the executives split their time between the different jurisdictions, Jordan says.
Review your existing contracts and services and see where money is being spent. Make sure the licensing terms are continuing to work to your benefit, Kennedy says.
"For certain software, do you need all the seats you've contracted for? Could a vendor offer better terms for a longer-term contract, where set-up time and technical lock-in likely points to that usage term anyway?" he says.
Review your existing contracts and services and see where money is being spent. Make sure the licensing terms are continuing to work to your benefit, Kennedy says.
"For certain software, do you need all the seats you've contracted for? Could a vendor offer better terms for a longer-term contract, where set-up time and technical lock-in likely points to that usage term anyway?" he says.
Organizations are under growing pressure to extract more value from their IT security dollars.
Many have had to sharply increase their security spending in recent years to address new threats and meet compliance requirements. The proportion of the IT budget that is allocated to security has grown steadily at many organizations and now averages over 5.6%, according to Gartner. Some spend as much as 13% of their overall IT budget on security, the analyst firm has noted.
Gartner expects that businesses and governments worldwide will spend over $96 billion on cybersecurity this year compared to around $84 billion last year. Much of that spending is being driven by data breach concerns and attacks like the WannaCry and NotPetya pandemics of 2017.
"According to our quantitative research, over 40% of organizations are increasing their security spend against only 4% lowering it," says Daniel Kennedy, an analyst with 451 Research. "The most significant organizational change security teams are making is trying to add people, and having a hard time doing it because of a lack of available talent at certain salary levels."
Cutting security spending in the present threat landscape can be extremely challenging for most organizations. The question is about how to meet all your security requirements given budget and resource constraints, Kennedy says.
Here are seven tips for getting more from your security dollars:
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024