How to
Jonathan Crowe
Jan 2016

3 Expert Tips to Get the Most Out of Your IT Security Budget

Photo by Source

managing_security_budget.jpg

The last thing you need is more shelfware

IT security spending is on the rise, but so is the pressure to demonstate actual progress and deliver results. To help, we've gathered tips from three expert cybersecurity executives on how to get the biggest protection bang for your buck. 

1) Don't treat tools as stand-alone solutions

"No part of security can stand alone." — Thomas Madden, former CISO at Centers of Disease Control and Prevention

When evaluating solutions, it's important not to get too focused on individual solutions without taking into account how they can be paired up with additional technology, or how they can be augmented or even replaced by a complimentary/alternative approach. 

"Disaster recovery, physical security, information security, operation security, personnel security — they all have to be constantly talking to each other," says Thomas Madden, former CISO at Centers of Disease Control and Prevention.

"Let's say I have a system where I would need $10,000 to install some form of access control, or I can get my physical security counterparts to install four floor-to-ceiling walls and a door for $1,000," Madden explains. "I'd be foolish to spend the $10,000."

The key, as always, is to create layers of security and not to lose sight of your ulimate goal. 

2) Make sure you can actually implement and manage any solution before you buy

"How many SIEMs are out there that don't actually do anything because there are no operators to tune them?"
— Andy Ellis, CSO at Akamai

Most of us probably assume we should be spending more to safeguard our organizations. Yet as budgets continue to skyrocket, results aren't exactly following suit. In fact, despite an increase in spending, we saw roughly the same amount of data breaches last year as the year before.

Part of the problem is that spending alone won't make any company secure, and buying the latest, greatest technology won't amount to anything if you don't have the proper expertise in-house to properly leverage it.   

Security products are notorious for becoming the "treadmills" of IT — reminders of noble aspirations that end up collecting dust. 

To avoid falling into that trap, Akamai CSO Andy Ellis has three key questions he says need answering before you buy any new security solution:

  • Do you have people who know how to use it?
  • Do they have the ability and bandwidth to install, use, and maintain it?
  • Will it actually have a measurable effect?

"How many SIEMs are out there that don't actually do anything because there are no operators to tune them?" Ellis wonders. "If you can't say 'yes' to all three of those questions, then you've wasted your money." 

3) (Re)Confirm your investments are addressing the right needs

"Before you start researching solutions, develop a specific sense of what you are trying to achieve." — Jack Danahy, CTO at Barkly

Following up on Ellis' third question, it's not just important for a solution to have a measurable effect, it also needs to be a measurable effect against the right performance goalsOtherwise, you run the risk of discovering too late your budget and efforts aren't being focused on your true priorities (what we call falling into the “more money, same problems” pattern).

A recent study from the Ponemon Institute reveals just how common this problem is. As the stats below show, many companies suffer from a damaging misalignment between where their money is being funneled and what’s actually perceived to be the most effective and necessary solutions:

  • 84% of companies are investing in intrusion detection or prevention systems, yet only 41% believe they are a top-performing solution.

  • On the other hand, 63% of respondents listed security incident and event management systems (SIEM) as a top-performing technology, but only 53% are actively investing in it.

  • Despite negligent insiders being one of the top reported concerns, only 8% of companies listed cybersecurity training as a top objective.

To make matters murkier, nearly 50% of IT pros aren't convinced their current goals and metrics actually convey the true state of security in their organization.

If that sounds familiar you might be best advised to take a step back before making any additional purchasing decisions. Review your plan, reexamine your priorities, and determine what needs to happen to improve alignment across the board.

Next Steps

For help getting your leadership team on board with your security initiatives, see our blog post "3 Keys to Getting Executive Buy-in for Security"

Now may also be a great time for you to develop a more strategic, sustainable approach to managing your company's security. Get a helpful headstart by checking out our 2016 Cybersecurity Playbook.
 

Photo by Emma Brabrook

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.