- "Why has the security budget increased so much this year?"
- "The safety budget is spent, where are the company's safety construction achievements?"
- "The new security budget that was approved for you not long ago is gone, and what products have you purchased?"
After reading this set of "fatal" trifecta, there may be many security people who are already sweating. But it is no exaggeration to say that this is probably a problem that many enterprise security managers need to face in their work.
In recent years, with the tightening of market profits, many CISOs have to face the problems of "flattening the cake" and "reducing costs and increasing efficiency" in the security budget. While there have been times when companies have approved specific cybersecurity budgets, these budgets are being tightened or even cut. As a result, security policies are limited, resulting in many risk blind spots.
According to the latest research report published by IANS Research, with global recession expectations and inflationary pressures persistent, the growth rate of cybersecurity budgets in the 2022-2023 budget cycle has decreased by 65% year-on-year. As a result, the struggle with budget constraints and staffing shortages has become one of the major challenges facing CISOs today. But whether a CISO's security budget is rich or limited, saving money and avoiding unnecessary hidden costs is certainly a better option.
The "Cost Trap" Hidden in Cyber Security Spending
From the investment of hardware equipment, to the purchase of software licenses, to the management of human resources, as well as continuous maintenance and upgrades...... There are often cost traps hidden in enterprise network security construction expenditures, and each link may bring unexpected expenses. These expenses may not only weaken the financial position of the enterprise, but may even affect the effectiveness and efficiency of the overall security construction.
These pitfalls may not be obvious in the early stages of security build-out, but over time they are likely to quietly drain the valuable budget of the cybersecurity department. These cost traps are so widespread that some of them are difficult to detect even for a CISO with specific knowledge and experience. Specifically, there are the following categories:
The "routine" of the billing structure of security products and services
Today, many CISOs struggle with the fee structure of many security vendors around their products. Brain Honan, a member of the Advisory Group of the European Union Cyber Security Agency (ENISA), pointed out that many products now have very complex billing structures, and the basic version of the solution may seem relatively attractive, but more advanced features, which are usually required by CISOs, generally come at an additional cost. The initial purchase cost of these tools is relatively low, but the associated prices can rise significantly as the amount of data stored, the events tracked, the traffic analyzed, or the number of endpoints monitored, can rise significantly.
In addition, additional expenses in security products and services include license fees as well as maintenance and support costs. In addition, some CISOs are said to be responsible for more security functions such as SOC and infrastructure. They incur support and maintenance costs that should have been borne by the CIO or CTO, especially when budget terms are relatively tightly coupled.
It's critical to review third-party costs
Before deciding to purchase any cybersecurity services or work with a third party, it is crucial to inquire in detail and evaluate all potential additional costs. This is not only to optimize the supplier negotiation strategy, but also to obtain the lowest reasonable price for products and services. Especially when buying a new product, establishing a completely new partnership, or a cost scenario involving intellectual property rather than a physical product, there is often a lot of room for negotiation.
When it comes to service, the ultimate trick is to insist on making sure that every new product is backed by adequate professional services. For example, a more professional engineer can guide customers through the efficient use of the product online, and select the right staff to be responsible for the product to solve follow-up problems.
Just as important as selecting the right service personnel is training backup personnel, creating a culture of documentation and continuous knowledge transfer can save organizations a lot of money.
When it comes to buying new security products, there's another strategy to get a better price. For example, when some vendors that offer remote browser isolation services overprice, organizations can detail their ability to develop such a product and create a GitHub project for others to use for free. That is, of course, if they are willing to spend a capital expenditure equal to the asking price of the supplier. The purpose of this method is to take a stand with the supplier and force the supplier to lower the price.
The operational costs of in-house security products are easily overlooked
In addition to the complex cost structure of security products and services, the internal costs of effectively running security products are often overlooked. Take SIEM, for example, although SIEM is a security tool that effectively monitors and analyzes network activity. However, for compliance purposes, enterprises generate large amounts of data when using SIEMs, which means a significant investment in storage resources and time costs. Therefore, it is also important to consider factors such as staff training, maintenance, adding users, and handling false positives in this process, as most of these factors may not be included in the initial cost analysis.
The same goes for penetration testing services and open-source solutions. When using penetration testing services, businesses must also consider the time and resources required internally, the cost to the business of any potential downtime, the time required to analyze reports, and the cost of implementing the required security measures. While open source solutions are often seen as a cost-effective alternative to commercial security tools, they don't necessarily provide cost savings for cybersecurity teams. "There are ongoing costs associated with implementing, managing, integrating, and supporting the solution, such as the unexpected costs of recruiting relevant professionals or hiring external experts.
Strictly "deduplicate" and do not waste the budget on ineffective services and products
Duplicate functions and overlapping services are another common cause of cybersecurity budget overruns. Nick Trueman, chief information security officer at cloud service provider Nasstar, has addressed such issues, saying that paying for duplicate security features often leads to tight budgets and can lead to integration issues, with coordination and integration of products from multiple vendors offering similar capabilities leading to complexity and interoperability issues.
The services provided by all security providers should be thoroughly reviewed to assess their effectiveness and compliance with the security requirements of the business, and if duplicative functionality is found, consider consolidating services under a single provider or consulting with the provider to eliminate redundancy.
In the process of building security, many enterprises will pay for redundant or ineffective tools that do not deliver the expected benefits. This can impact security budgets and coverage plans, and may result in investments in security tools or technologies that fail to deliver on their initial promises, as well as deliver the expected value and return on investment.
Of course, there are many reasons behind this, such as insufficient integration with existing systems, low user adoption, or tools that are not effective in meeting the specific security needs of the enterprise. Security investments such as the above divert resources from more effective security measures, leading to a strained security budget and ultimately hurting an organization's overall cybersecurity posture.
Many CISOs are over-procuring, but if they are just looking to update their tools and buy tools, they don't have to validate the use cases or check if the existing solution already meets the requirements. This can lead to a lot of redundancy in tools, complicating security operations. Organizations need to align all security investments to ensure they are relevant to the organization's threat model and minimize risk. Therefore, it is important for CISOs to determine if an existing solution is available before choosing to purchase a new product.
Based on industry insiders' experience in reviewing security tools in enterprises, organizations often buy two or three products for the same feature, but simply because they don't know that all the features they need are already available in the original product they purchased. For example, many modern operating systems have built-in security features, such as disk encryption, which, if implemented, can eliminate the need for third-party solutions. To do this, consider having a dedicated product engineer review the security configuration and implement the solution correctly, which can help CISOs save the cost of purchasing a new tool and integrating and managing it.
"Vendor lock-in" can create a permanent cost trap
Businesses sometimes invest a lot of money, time, and resources in order for a solution to work effectively, resulting in significantly higher costs than expected. However, most organizations are reluctant to consider moving certain security concerns to another vendor's product or platform because they don't want to waste an upfront investment, or because the cost of migration is sometimes too high, even though there may be more cost-effective solutions than before. When CISOs take over "initiatives" that are cross-departmental or led by central leadership, there may be hidden costs. In this decision-making process, the CISO has the financial authority to implement the initiative and bear the initial costs. They will promise their superiors or other departments that if the initiative is successful, it will be included in the operational budget.
It will then become an ongoing business. At that point, it will be difficult to reallocate operating costs across the entire business unit, which can lead to controversy and conflict. As a result, these costs end up staying in the CISO's budget, causing them problems, especially since these costs are not actually supposed to be borne by the security department.
Confusion in business priorities can lead to unexpected costs
When the strategic goals and perspectives of business executives and department heads are not aligned with the CISO's cybersecurity priorities, it can lead to disputes over budget allocation, and CISOs often do not have enough budget to implement effective long-term strategies, resulting in unexpected costs.
For CISOs who need to justify their budget requests when competing with other departments for budgets, any compromise can result in an enterprise security needs being inadequately met, resulting in unexpected expenses when responding to a security incident or data breach. Businesses may reactively allocate resources to address immediate threats, often with unexpected costs in the future. This reactive approach can lead to tight security budgets that don't provide a comprehensive and more cost-effective long-term security strategy.
In fact, this situation has always been a pain point in safety work, and it can be regarded as a "lesion" accumulated in the early years. In fact, it also involves the question of how to quantify safety work, and it is very important to reflect the phased results of safety work and find out the actual benefits that safety investment may bring to the enterprise when reporting to the leadership. In the process of striving for the budget, let the superior leaders and other department leaders who cooperate with the work fully realize the importance and necessity of safety cost investment, which can effectively ensure the proportion of safety cost investment.
epilogue
Enterprise network security is not only an important part of ensuring the security of enterprise assets, but also a key factor in maintaining the core competitiveness of enterprises. Therefore, it is very important to reasonably plan network security investment and expenditure, establish a sound budget monitoring and adjustment mechanism, keep abreast of budget implementation, evaluate the effectiveness of network security investment, and adjust according to the actual situation to achieve a balance between security and economy. By summarizing the implementation of the cyber security budget, continuously refining lessons and lessons, continuously improving the formulation and implementation of the cyber security budget plan, and avoiding the "trap" of cyber security costs to the greatest extent, it is a "compulsory course" for every CISO.
After all, a healthy investment in cyber security is not only the foundation for enterprises to protect information assets and maintain business operations, but also a necessary measure for enterprises to cope with the increasingly severe cyber security situation.
Resources:
Hatps://vv.51CTO.com/article/770215.html