Recent data paints a conflicting picture in relation to cybersecurity budgets. Some research indicates that budgets are increasing healthily with CISOs eyeing up their next spending sprees. Other studies suggest security budgets are tightening or even being slashed despite previously being approved, hamstringing security strategies and creating risky blind spots.
Several factors such as company size and sector undoubtedly play a role in the inconsistencies, but regardless of whether a CISO’s funds are plentiful or sparse, the opportunity to save money by avoiding hidden, unnecessary costs is surely universally welcome.
Security investments can come with cost traps that aren’t always obvious but eat into security leaders’ precious funds over time, without them ever realizing. These range from costs that are discernible with the right knowledge to others that are somewhat surprising, even for the most weathered of CISOs.
CISOs struggle with charging structures of security products and services
A lot of CISOs struggle with intricacies in the charging structures many security vendors have around their products. “Many products now have charging structures that are very complex, and while the basic version of a solution may look relatively attractive, it is not uncommon that the more advanced features — often the features the CISO requires — are charged at additional rates,” Brain Honan, cybersecurity consultant and member of the European Union Agency for Cybersecurity (ENISA) advisory group, tells CSO.
This can be quite common with security information and event management (SIEM) or security operations center (SOC) solutions where the initial purchase of the tool or platform is relatively cheap, but as the amount of data stored, events tracked, traffic analyzed, or endpoints monitored increase, there can be significant jumps in the associated pricing, he adds.
These additional overheads in security products and services can include licensing, maintenance, and support costs too. “I have heard of CISOs covering more motor functions of security such as SOC and infrastructure, finding they were holding onto support and maintenance costs that should really have been sitting under the CIO/CTO, particularly if the budget lines are fairly closely coupled,” says Paul Watts, distinguished analyst at the Information Security Forum (ISF).
Review third-party costs carefully
Before deciding to buy any cybersecurity service or engage with a third party, CISOs should enquire about and carefully assess all of the potential additional costs associated with its use. “This is a matter of refining vendor engagement and negotiation strategies to pay the lowest reasonable price for products and services,” Mike Manrod, CISO at Grand Canyon Education, says. In particular, there should be a lot of room to negotiate when a product is a net-new add, a new relationship, and/or a scenario where the cost involves intellectual property more than physical products.
“For services, the ultimate hack is to insist that every new product comes with plenty of professional services to implement it, then have your most promising people drive the session from their keyboard with the professional services engineer telling them what to do,” Manrod says.
Then put that person on point with supporting that product and solving the issues thereafter, and if you pick the right person, they will be an expert, he says. “Once this is done, have them train a backup and create a culture for documentation and sustained knowledge transfer. It would not even be appropriate for me to say how much money this has saved us over the past 6.5 years I have been in this job.”
Another consideration can help negotiate more reasonable prices on novel security products, according to Manrod. “For example, when some remote browser isolation vendors quoted absurd prices, we explained in detail how we could build our own and create a GitHub project to make it free for others if we dedicated CapEx hours equal to what they were charging.” This was a very salient reality check to the vendors and the pricing became more reasonable, he says.
Internal running costs are often overlooked
The intricate cost structures of security products and services are just one piece of the potential hidden costs puzzle. Another thing to consider is the internal cost of running them effectively, which is often overlooked. Take SIEM as an example; it is clearly an effective tool, but there will be a large volume of data to manage and keep for compliance purposes, requiring significant storage and time investment, Dave Allan, member of CREST’s UK Council, tells CSO.
“It is also important to consider things like staff training, maintenance, adding users, and dealing with false positives — all things that may not be included in the initial cost analysis,” he says.
Penetration testing services and open-source solutions are other good examples. When using penetration testing, it is critical to also consider the time and resources required internally, the cost to the business of any potential downtime, the time required to analyze reports, and the costs of implementing any required security measures, Allan says.
Open-source solutions, while often touted as a cost-effective alternative to commercial tools, do not necessarily result in cost savings for the cybersecurity team either, Honan adds. “The ongoing costs of implementing, managing, integrating, and supporting the solution can often lead to unexpected costs in recruiting individuals with the required skills or to engage with external expertise.”
Overlapping services and duplicate functions needlessly strain budgets
Overlapping services that duplicate functions are another common overspend that can eat into security budgets. “Paying for these duplicate security functions can be financially inefficient and strain the budget,” says Nick Trueman, CISO at cloud services provider Nasstar. It can also result in integration challenges whereby coordinating and integrating multiple providers with similar functions leads to complexities and interoperability issues, he adds.
CISOs should conduct a comprehensive review and identify all current security providers and the services they offer. “Evaluate their effectiveness and whether they align with the business’s security requirements,” Trueman says. If duplicate functions are identified, consider consolidating services under a single provider or negotiate with providers to eliminate redundancies.
Budgets wasted on redundant security services and products
On the topic of redundancies, CISOs can often end up paying for tools that do not deliver the expected benefits, significantly impacting their security budgets and coverage plans. CISOs may encounter scenarios where they invest in security tools or technologies that, despite their initial promise, fail to provide the anticipated value or return on investment (ROI), says Paul Baird, chief technical security officer at Qualys.
This could happen for several reasons, including inadequate integration with existing systems, limited user adoption, or the tools not effectively addressing the organization’s specific security needs. Such investments can strain the security budget and divert resources from more effective security measures, ultimately undermining the organization’s overall cybersecurity posture.
“I have seen CISOs find line items on their budgets where the tools are either shelfware or are not being used to their full potential,” Baird says. “The problem here is that we are running fast to keep up with threats and prevent attacks, and that makes it hard to get ahead of problems.”
Determine whether an existing solution is the answer before buying new
CISOs have a history of expense-in-depth purchasing where they renew tools and buy new ones without validating the use case and checking to see if an existing solution already addresses a risk, says Rick Holland, CISO at ReliaQuest. This results in a sprawl of redundant and potentially unnecessary security controls that complicate security operations. Firms need to reconcile all investments to ensure they are relevant to the organization’s threat model and minimize risk, he adds.
“For example, do you need to renew a cloud-based distributed denial of service (DDoS) mitigation service if you aren’t in a vertical where website availability is critical to generating revenue? Is the DDoS attack likelihood and impact low enough that limited resources could be directed elsewhere?”
In Honan’s experience of reviewing security tools in organizations, often two or three products have been implemented simply because the organization did not know all the features they required were available in the original product they purchased. For example, many modern operating systems come with built-in security features, such as disk encryption, which if implemented could remove the requirement to have third-party solutions, he says.
“Investing in a product engineer to review your configurations and ensure you have the solutions implemented properly could save the CISO from buying another tool and the related costs associated with integrating and managing it,” Honan adds.
Vendor lock-in creates perpetual misspending
Another cost trap that some CISOs may stumble into is vendor lock-in. The investment in money, time, and resources to get a solution to work effectively can eventually turn out to be significantly higher than initially expected. This can then lead to the CISO being reluctant to move to an alternative product or platform as they may feel that investment will be lost or that the cost of the migration would be prohibitive.
“This can be particularly true when a security function or process has been outsourced to a third party or to the cloud, leading to longer ongoing higher costs despite more cost-effective solutions being available,” Honan says.
Hidden costs can also creep in when a CISO picks up a cross-cutting, center-led “initiative” for which they hold the purse in terms of implementation and day zero costs on the promise that “if it works, we’ll integrate into business budgets,” says Watts.
“That then becomes an enduring business-as-usual activity, by which time reflowing the run costs across the business is a conversation nobody wants to have, so it sits on the CISO budget line causing them an annoyance, especially if it really doesn’t fit the profile of a central security cost.”
Misaligned business priorities trigger security overpayments
A misalignment of organizational priorities can challenge CISOs, potentially leading to overpayments. This misalignment typically occurs when the strategic objectives and perspectives of different stakeholders, including senior leadership and various departments, do not align with the CISO’s cybersecurity priorities.
“When such misalignment occurs, it can result in disputes over budget allocation,” says Baird. CISOs may have to justify their budget requests in competition with other departments’ demands, potentially leading to compromises that may not adequately address the organization’s security needs, leading to ad hoc spending in response to security incidents or breaches.
“Organizations may allocate resources reactively to address immediate threats, often incurring premium costs. This reactive approach can strain the budget and may not provide a comprehensive and cost-effective long-term security strategy.”
Sometimes both companies and security leaders are short-sighted in this regard, taking the easiest path for a quarter, which may have neutral outcomes over a year, but catastrophic outcomes over a half-decade, says Manrod. “If we want to solve this problem, we all need to lean toward longer-term thinking.”
Of all the factors that have helped to make a lot of improvements to a security program, one of the most significant has been staying at the same company with the consistent and unwavering support of other leaders for a long time, allowing runway for sustained work on the difficult problems that often go unresolved, he adds. “Are any of us assured success? Not at all. That said, I would like to think we all strive to accomplish the most risk reduction possible, for every investment level.” CISOs need to align their security priorities with the organization’s strategic objectives and regularly evaluate the performance of security investments to ensure that resources are allocated efficiently and that security coverage plans are effective and cost-efficient.