Why are corporate security budgets never enough?

• “Why did the security budget increase so much this year?”
• “The safety budget is all spent, where are the company’s safety achievements?”
• "The new round of security budget that was approved to you not long ago is gone? What other products have been purchased?"

After reading this set of three "fatal" questions, many security personnel may be sweating. But it is no exaggeration to say that this is probably a problem that many enterprise security managers need to face in their work.

In recent years, with the shrinking of market profits, "digging out the pie" and "reducing costs and increasing efficiency" in security budgets have become difficult problems that many CISOs have to face. While there were times when companies had approved certain cybersecurity budgets, today those budgets are being tightened or even cut. This also results in restricted security policies and creates many risk blind spots.

According to the latest research report released by IANS Research, with the global economic recession expected and inflationary pressure continuing, the growth rate of cybersecurity budget in the 2022-2023 budget cycle has dropped by 65% ​​year-on-year. Therefore, combating budget constraints and staff shortages has become one of the major challenges facing CISOs today. But whether a CISO's security budget is wealthy or limited, saving money and avoiding unnecessary hidden costs is definitely a better option.

The hidden “cost trap” in cybersecurity expenditures

From the investment in hardware equipment, to the purchase of software licenses, to the management of human resources, as well as continuous maintenance and upgrades...there are often hidden cost traps in corporate network security construction expenditures, and every link may bring Unanticipated expenses. These expenses may not only weaken the financial status of the enterprise, but may even affect the effectiveness and efficiency of the entire security construction.

These pitfalls may not be obvious in the early stages of a security build, but over time are likely to quietly drain a cybersecurity department’s valuable budget. These cost traps are so widespread that some are difficult to detect even for CISOs with specific knowledge and experience. Specifically, there are the following categories:

The “routine” of billing structure for security products and services

Today, many CISOs are struggling with the fee structures charged by many security vendors around their products. Brian Honan, a member of the advisory group of the European Union Cybersecurity Agency (ENISA), pointed out that many products now have very complex billing structures, and while the basic version of the solution may look relatively attractive, the more advanced features are usually CISOs. Required features generally cost extra. The initial purchase cost of these tools is relatively low, but the price can increase significantly as the amount of data stored, events tracked, traffic analyzed, or endpoints monitored increases.

In addition, additional expenses in security products and services include license fees and maintenance and support costs. In addition, it is said that some CISOs are also responsible for more security functions, such as SOC and infrastructure. They bear support and maintenance costs that should be borne by the CIO or CTO, especially if budget terms are relatively tightly coupled.

Reviewing third-party costs is critical

Before deciding to purchase any cybersecurity services or work with a third party, it is crucial to inquire in detail and evaluate all potential additional costs. This is not only to optimize supplier negotiation strategies, but also to obtain the lowest reasonable price for products and services. Especially when purchasing new products, entering into entirely new partnerships, or cost scenarios involving intellectual property rather than physical products, there is often a lot of room for negotiation.

When it comes to service, the ultimate trick is to insist on ensuring that each new product is backed by adequate professional services. For example, more professional engineers are equipped to guide customers online to use the product efficiently, and at the same time, appropriate employees are selected to be the person in charge of the product to solve subsequent problems.

In addition, just as important as selecting the right service personnel is training backup personnel. Creating a culture of documentation and continuous knowledge transfer can help organizations save a lot of money.

There is another strategy for getting a more reasonable price when purchasing new security products. For example, when some vendors offering remote browser isolation services are charging too high a price, the organization can detail its ability to develop such a product on its own and create the product as a GitHub project for others to use for free. . That is of course assuming they are willing to spend capital expenditures equal to the supplier's asking price. The purpose of this approach is to make a statement to the supplier and force the supplier to lower its price.

Internal security product operating costs are easily overlooked

In addition to the complex cost structures of security products and services, the internal costs of running security products effectively are often overlooked. Take SIEM as an example, although SIEM is a security tool that effectively monitors and analyzes network activities. However, for compliance purposes, enterprises will generate a large amount of data when using SIEM, which means a large amount of storage resources and time costs need to be invested. Therefore, it is also important to consider factors such as staff training, maintenance, adding users, and handling false positives during this process. After all, most of these factors may not be included in the initial cost analysis.

The same goes for penetration testing services and open source solutions. When using penetration testing services, businesses must also consider the time and resources required internally, the cost to the business of any potential downtime, the time required to analyze reports, and the cost of implementing the required security measures. Open source solutions, while often seen as cost-effective alternatives to commercial security tools, don’t necessarily provide cost savings for cybersecurity teams. “There are ongoing costs associated with implementing, managing, integrating and supporting solutions, such as unexpected costs when recruiting relevant expertise or engaging external experts.

Strictly "remove duplication" and do not waste budget on ineffective services and products

Duplicate functionality and overlapping services are another common source of cybersecurity budget overruns. Nick Trueman, chief information security officer of cloud service provider Nasstar, has mentioned such problems. He said: Paying for duplicate security functions often leads to tight budgets and can also lead to integration problems, coordination and integration of services that provide similar functions. Products from multiple vendors can lead to complexity and interoperability issues.

Services provided by all security providers should be thoroughly reviewed to assess their effectiveness and compliance with the security requirements of the business. If duplicate functionality is found, consideration may be given to consolidating services under a single provider or negotiating with the provider to eliminate redundancies.

During the security construction process, many companies will pay for redundant or ineffective tools that cannot bring expected benefits. This can impact security budgets and coverage plans, and can result in investments in security tools or technologies that fail to live up to the original promise and provide the expected value and return on investment.

Of course, there are many reasons behind this, such as insufficient integration with existing systems, low user adoption, or the tool's inability to effectively meet the specific security needs of the enterprise. Security investments like the one above take resources away from more effective security measures, straining security budgets and ultimately harming an organization's overall cybersecurity posture.

Many CISOs have over-purchased, but if they only focus on updating tools and purchasing tools, they do not verify use cases or check whether existing solutions can meet the needs. This will most likely result in a massive redundancy of tools, complicating security operations. Organizations need to coordinate all security investments to ensure they are relevant to the organization's threat model and minimize risk. Therefore, it is important for CISOs to determine whether existing solutions are available before choosing to purchase a new product.

According to industry insiders who review security tools in the enterprise, enterprises often buy two or three products for the same functionality, but this is simply because enterprises do not know that the original product they purchased already provides what they need. All features. For example, many modern operating systems have built-in security features, such as disk encryption, which, if implemented, can eliminate the need for third-party solutions. To do this, consider assigning a dedicated product engineer to review security configurations and properly implement solutions. This can effectively help CISOs save the cost of purchasing new tools and the costs associated with integrating and managing the tools.

'Vendor lock-in' can create permanent cost trap

企业有时为了让某个解决方案能够有效运作，会投入大量资金、时间和资源，最终导致成本显著超出预期。但考虑到不要浪费前期的投资，或者有时因为迁移的成本太高，所以大多企业不愿意考虑将某些安全事项转向其他供应商的产品或平台，尽管可能存在比之前更加经济高效的解决方案。当CISO接手跨部门或者由中央领导层主导的“倡议”时，可能会面临隐藏的成本问题。在这种情决策过程中，CISO有资金支配权，负责实施该倡议并承担初始费用。他们会向上级或其他部门承诺，一旦倡议成功，那么它将会被纳入业务预算之中。

It will then become an ongoing regular business. At that point, redistributing operating costs across business units will be difficult and may cause controversy and conflict. Therefore, these costs end up sitting in the CISO's budget and causing problems for them, especially since these costs should not actually be borne by the security department.

Confused business priorities can lead to unexpected costs

When the strategic goals and perspectives of business executives and department heads are inconsistent with the CISO's cybersecurity priorities, it can lead to disputes over budget allocations. The CISO is often unable to obtain sufficient budget to implement an effective long-term strategy, leading to surprises. the cost of.

For CISOs who need to justify their budget requests when competing with other departments for budget, any compromise may result in the security needs of the enterprise not being fully met, resulting in unexpected expenses when the enterprise responds to a security incident or data breach. Businesses may reactively allocate resources to address immediate threats, often resulting in unexpected costs in the future. This reactive approach can strain security budgets and fail to provide a comprehensive and more cost-effective long-term security strategy.

In fact, this situation has always been a pain point in safety work, and it can be regarded as a "sickness" accumulated in the early years. This actually also involves the issue of how to quantify safety work. When reporting to leaders, it is very important to how to reflect the phased results of safety work and to find out the actual benefits that safety investment may bring to the enterprise. In the process of fighting for the budget, superior leaders and other cooperating department leaders should be fully aware of the importance and necessity of safety cost investment, which can effectively ensure the proportion of safety cost investment.

Conclusion

Enterprise network security is not only an important part of ensuring the security of enterprise assets, but also a key factor in maintaining the core competitiveness of enterprises. Therefore, how to reasonably plan network security investment and expenditure, establish a sound budget monitoring and adjustment mechanism, keep abreast of budget implementation, evaluate the effectiveness of network security investment, and make adjustments according to the actual situation to achieve a balance between security and economy Crucial. By summarizing the implementation of network security budgets, constantly refining experiences and lessons, continuously improving the formulation and execution of network security budget plans, and avoiding network security cost "traps" to the greatest extent, it is a "required course" for every CISO.

After all, healthy investment in network security is not only the basis for enterprises to protect information assets and maintain business operations, but also a necessary measure for enterprises to cope with the increasingly severe network security situation.