How to optimize your security budget

The good news is that security budgets are rising broadly. The bad news? So are successful attacks. Perhaps that's why security budgets averaging $4.3 million this year represent a gain of 51% over the previous year and that figure is nearly double the $2.2 million spent in 2010 all according to our most recent Global Information Security Survey, conducted by PricewaterhouseCoopers.

[Case study: Security on a shoestring budget]

The question is, why? Why are security budgets rising but enterprises still are not getting the results hoped? "Many organizations are infatuated with buying the latest trendy thing, whether or not it makes the most sense for their specific security posture," says Jay Leek, chief information security officer at The Blackstone Group.

The 11th annual Global Information Security Survey of 9,600 executives also found that the number of organizations reporting losses of greater than $10 million per incident is up 75 percent  from just two years ago. The costs of these breaches also are rising, with data breaches up 9 percent in 2013 from 2012.

One thing is certain the organizations are not spending on the technologies and capabilities best suited to help spot advanced attackers, such as malware analysis with only 51% doing so, inspection of traffic leaving the network (41%), rogue device scaling (34%), deep packet inspection (27%), or threat modeling (21%).

With all of this in mind, how do you tell if that increase in budget you received is being spent in the right areas?

The right staff

First up: make sure your team is well positioned when it comes to security staff.

"Figuring out if you are you understaffed or overstaffed can be tricky," says John Pescatore, director, emerging security trends, at SANS Institute. "If you have 10 firewalls, how many full-time equivalents does it take to manage them? If you have three people taking care of 10 firewalls, you either have really bad firewall managers or you should invest in a tool so that one person can manage those 10 firewalls," he says.

One way to evaluate staffing is to look at how many full-time equivalents are in the security program as a percentage of total IT positions. Another is to compare your security/general IT staff ratio with that ratio within your industry, and see how your security staffing stands in contrast to your peers, says Pescatore. "That's a good indication. Be sure to take into account how many full time equivalents may be in place through outsourcing arrangements, such as firewall management and monitoring," he explains.

Understaffing of security professionals is likely to create a situation where the organization will end up pushing unsecured projects into production, unable to properly respond to incidents, or properly maintain a healthy security program. This means that those who are there will be constantly jumping from one emergency to the next.

And when it comes to security budget spending, at least in the next few years, it would be wise to invest in people while organizations still can find those who are qualified. According to a just-released study from IT certifications provider (ISC)2, about 2.25 million information security professionals were working worldwide last year. That figure is expected to leap to 4.25 million in two years. And (ISC)2 expects that there could be a 47% shortage of security professionals qualified to fill those positions.

[How Colorado's CISO is revamping the state's information security -- on a $6,000 budget]

Our own "State of the CSO" in 2013 found that this demand for skilled IT security professionals is already straining organizations' ability to attract top security talent. It is the larger companies that are most likely to increase their security resources, with 42 percent planning staffing increases, compared to 37 percent of midsize and 26 percent of small organizations. In fact, finding and retaining skilled IT security workers was identified among the greatest challenges for 31 percent of large companies.

Out with the old

Another way to maximize security budget is to make certain the budget is as aligned with current security demands and applications as is possible. "We see a lot of security shelfware out there," says Javvad Malik, security analyst at The 451 Group. "In a recent survey we conducted, not a single respondent said that they have a process in place to actually decommission old IT security products."

Predictably, what ends up happening, year after year, is these enterprises acquire new security applications but don't decommission those in place, even though they're not in productive use. "They're scared that it might impact something, or fear it's too embedded into their processes even though they're not getting any value out of the application. They end up with all of this bloat that's just hanging around and costing them money," he says. While it may sound obvious, it's something many enterprises aren't doing: cull all of those security appliances and software apps that can be decommissioned.

Avoid the shiny

Andy Ellis, chief security officer at Akamai Technologies, says it's unfortunately all-too common for enterprises to buy security equipment that they don't have the expertise on staff to maintain, or they fail to set aside training budget. Before buying that SIEM, web application firewall, or malware forensics analysis software, Ellis has a set of questions that he says need to be answered.

  • Did you have people who knew how to use the system?
  • Were they able to apply themselves to installing, using, and maintaining, the system?
  • Did the system actually have effect?

While a negative answer would indicate an ill-thought purchase, an affirmative answer doesn't mean that the budget was wisely deployed. "At least you didn't just throw it away, but if you can't say "yes" to all three of those questions, then you've wasted your money. How many SIEMs are out there that don't actually do anything because there are no operators to tune them," Ellis says.

Focus on the endgame

Blackstone's Leek argues that for years now, many enterprises have been too spending heavily on defensive technologies and not enough on incident response. "No matter how much you spend on defense, and how good you are at defense, or how wise you are with your budget, there will be attacks that get through. And not enough companies have been investing in their response capabilities. As a result they have very little ability to respond when the inevitable happens," he says.

[Hey CSOs: Suck it up and accept budget cuts]

With most enterprises spending a disproportionately low amount on response compared to defense, putting a good chunk of that budget increase toward response does sound like one of the best investments of all.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.

Join the CSO newsletter!

Error: Please check your email address.

Tags security budgetOptimizesecurity spendingsecurityBlackstoneSecurity LeadershipPricewaterhouseCoopers

More about Akamai TechnologiesAkamai TechnologiesCSOPricewaterhouseCoopersSANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place