No matter the size of your InfoSec budget, it is prudent to take a more critical look at security programs and find ways of ways for program management. So where should a CISO be paying attention to find waste and opportunities for smart budget management? Here are some ideas.
Remove redundancy and start consolidating
An average organization is using a large number of technologies, by some estimates as high as 47, according to a Ponemon survey. However, the majority of security leaders (53%) are not sure if their tools and technologies are actually working. It is time to stop buying more and more tools and start consolidating. When you start taking a deeper look, you will see there is a lot of redundancy in technologies that you own. You will also find that you can replace many of the existing technologies with a single new solution. By doing so, you will also improve user experience. For example, imagine how many endpints run slow because of a large number of agents running everywhere.
Eliminate shelfware
You have more shelfware in your organization than you think you have. Many vendors sell tools and technologies in the name of incentives that you never use. We need to stop falling for buy-one-get-one-free tricks.
Use Cloud based security services
Cloud has revolutionized security services by more innovation, less cost, and giving you ability to avoid vendor lock-ins. Consider the following as few examples:
- Are you using an old full packet capture solution that requires an insane amount of local storage? You must consider new solutions that compress data and store it in the Cloud drastically reducing the cost.
- Are you spending too much on maintaining honeypots and still not getting the value? Well you have new Cloud based options where modern deception technologies are available “as-a-service” with much lower cost and exceptionally improved functionality.
- You know how much you spend on network segmentation to protect crown jewels. Why not look at software-defined zero trust technologies provided from the Cloud?
- Traditionally organizations have been doing content filtering with on-premises technologies that are too difficult and costly to manage when you take into account total cost of ownership. Why not go to Cloud based web content filtering solutions that provide the shortest path to the Internet and protect users whether they are on private network or on public network or working from home.
These are just a few examples of how Cloud based security technologies can help but there are many other areas to look into. Like everything else, security services are moving to Cloud fast.
Use of Open Source Software
The fact is that we already use so much open software in all businesses, but we don’t realize its presence. For example, “all” medium to large size companies use Linux (which is open source). Majority of smartphones run on Android which is also open source. Apache is a common web server used in ecommerce environments, again an open source technology. Many commercial products, including commercial security products also run on Linux behind the scene. There is no harm in looking at open source tools when you are constrained for budget. In many cases, these tools are as good as commercial options, if not better. For example, ModSecurity is an excellent open source web application firewall. Why not consider it as part of Apache web server for hosting web applications? Same is true for many network and host based open source security tools.
Better Distribution of Program Cost
Security program cost optimization is a tricky issue but can be achieved by some creative thinking. Doing everything in-house could be costly and outsourcing the whole program could have its own drawbacks. A balanced approach is usually the best. One of the methods is to split the overall budget into three major areas as evenly as possible:
- People and Payroll – This also includes education and training of security staff.
- Technology and tools – Purchase of technology and tools needed to run the security program. It also includes subscription based security services.
- Services – Instead of building a large security team, it is a good idea to identify areas where a service provider would make sense and outsource it. For example, if you do malware analysis once in a while, it would make sense to use services from a third party instead of building a team for malware analysis.
How much do we Spend on Security Programs?
Last but not the least, this is a common question on many CISO’s minds and is asked in board meetings. How much spending on security programs is good enough? The answer depends upon the current maturity level of the security program, the industry sector, and the risk that an organization needs to manage. According to different surveys and research reports, a good percentage of companies spend between 10-20% of their IT budget on security, with a median around 15%. However in case of data breaches, the portion of the security budget as a percentage of the total IT budget may go quite high. If an organization is spending more than 30% of IT budget on security, there is a good probability that they had a recent major breach.
References
- How much should you spend on security?
- Cybersecurity budgeting and spending trends 2020: How does yours compare?
- Ponemon Study: 53 Percent of IT Security Leaders Don’t Know if Cybersecurity Tools are Working Despite an Average of $18.4 Million Annual Spend
- CISO MindMap 2020
- ModSecurity
- Suricata IDS
- OSSEC HIDS
- Zeek open source
- CISO MindMap 2020: Summary of Recommendations for Updating Security Programs