Every security leader has, at one time or another, been faced with the challenge of maximizing the value they get from their existing toolset. But that can be even more difficult as adversaries continue to aggressively evolve and security budgets remain limited. In fact, more than one-third (36%) of organizations report that an inadequate budget is their biggest internal cybersecurity challenge.
When making cybersecurity plans for the coming year, first try to make sure that everything in our environment is fully utilized while eliminating waste and redundancy. Research shows that most organizations use 10% to 20% of the technology they own, squandering precious budget dollars on unnecessary license costs.
Many vendors will also update solution features throughout a tool’s lifecycle. But unfortunately, security teams are often too busy to go back and optimize things post-deployment — and by some estimates, the number of security products in the average enterprise security stack now runs as high as 130. This means security leaders may be missing out on critical new capabilities and protections that you’re already licensing.
Regardless of the economic forecast, it’s always smart to get the most from existing investments before adding new security products and services to your environment. So, in order to maximize a budget, security leaders need to analyze and optimize before they modernize.
Analyze: Know the enemy
When it comes time for security leaders to plan for the year, the easiest thing is to stay “status quo” — don't change anything. If security leaders change something and it breaks, then there’s a risk of looking bad. But staying static also carries the even higher risk of doing nothing while the threat actors evolve and find new ways to exploit defenses.
So, the first step is to analyze the landscape. Are there things to improve in our stack to account for emerging threats or new vulnerabilities? There are things to learn from recent news items like the attacks against the casinos. Security teams can use these kinds of real-world circumstances to go back and figure out if they have the right protections and policies in place.
The challenge is that this takes cycles — and most people don't have spare cycles across teams. We don't have people sitting around and waiting for a project. Probably the hardest part is realizing that it’s necessary to invest time and not just money in order to get more efficient results from a program.
Optimize: Use what’s already there
Before allocating budget dollars to purchasing a new tool to cover a security gap, CISOs should first be sure they’re already using what they have to full capacity. Tool sprawl is a real problem — and not just in terms of spending. Complexity is the enemy of security. One-off security products that operate in silos can actually introduce inefficiencies and new vulnerabilities to infrastructure.
Try to take advantage of quarterly business reviews and executive briefings with vendors throughout the year to make sure security teams are tuning the tools that they’re already licensing and getting full benefit from the latest feature sets. A basic rationalization of the security tools in a stack can yield an estimated savings 5% to 10%.
It can be challenging to find time for this — especially while coordinating 20 different vendors that each want to do a quarterly review. But vendors can help quickly improve efficiencies and even spot capabilities that haven't been turned on yet. It’s also important to understand the road map for their technologies and develop a relationship. Security leaders are going to need their help at some point; they're not just there to try to upsell. Ultimately, vendor reps want to make sure that a partnership is going to be successful because, quite honestly, the last thing they want to hear is that a customer is having an incident that will wind up in the news.
And sometimes when listening to a vendor talk about their latest solutions, security leaders think of a different path to achieve the same end. Maybe there’s even a way to incorporate what the organization already has in their stack and tweak it to address that same common problem.
Modernize: Make strategic upgrades
Once security leaders have analyzed their risk exposures and optimized their current infrastructure, they’re in a much better position to make informed decisions about how to strategically allocate the budget for the upcoming year. Modernizing the tool stack can improve efficiencies and potentially save the organization money over time. This can offer significant business value — and CISOs should bring that information into C-suite discussions to justify targeted spending, even in lean times.
Better security for any budget
While cybersecurity remains a critical investment for maintaining financial and operational resiliency, smart security leaders know that greater program efficiency leads to greater program efficacy. A solid plan starts with analyzing the organization’s current stack in light of today’s threat landscape. Look for low-cost and no-cost opportunities to cover security gaps through tuning and optimization.