Beware the cost traps that can strain precious cybersecurity budgets>
– Michael Hill
The article highlights several factors that can contribute to hidden costs in cybersecurity, impacting the security budget.
A lot of CISOs struggle with intricacies in the charging structures many security vendors have around their products. “Many products now have charging structures that are very complex, and while the basic version of a solution may look relatively attractive, it is not uncommon that the more advanced features — often the features the CISO requires — are charged at additional rates,” Brain Honan, cybersecurity consultant and member of the European Union Agency for Cybersecurity (ENISA) advisory group, tells CSO.
These factors include:
1) Increased pricing with scale: Some security products and services, such as SIEM or SOC solutions, may have cheap initial purchase costs but can become significantly more expensive as the amount of data, events, traffic, or endpoints increases.
2) Additional costs of security products and services: Beyond the initial purchase, there can be additional overhead costs such as licensing, maintenance, and support.
These costs can sometimes be misallocated between the security and IT departments.
3) Carefully review third-party costs: Before buying any cybersecurity service or engaging with a third party, CISOs should inquire about and assess all potential additional costs.
Negotiation strategies can help to pay the lowest reasonable price for products and services.
4) Consider internal running costs: The cost of running security products and services internally, including storage, staff training, maintenance, and dealing with false positives, should be taken into account.
5) Avoid redundant and overlapping services: Overlapping security services that duplicate functions can strain the budget and create integration challenges.
CISOs should conduct a comprehensive review of current security providers and their services, evaluating effectiveness and eliminating redundancies.
6) Wasted budgets on redundant tools: CISOs may invest in security tools that don’t deliver the expected benefits.
Inadequate integration, limited user adoption, or tools not addressing specific security needs can strain the budget and divert resources from more effective security measures.
7) Validate existing solutions: CISOs should avoid purchasing new tools without validating if an existing solution already addresses the risk.
This helps prevent a sprawl of redundant security controls and ensures investments are relevant to the organization’s threat model.
8) Beware of vendor lock-in: Vendor lock-in can result in higher costs than initially expected, as the investment in a solution becomes difficult to migrate from.
It’s important to assess all alternatives and avoid long-term higher costs despite more cost-effective solutions being available.
9) Misaligned business priorities: When organizational priorities don’t align with the cybersecurity priorities of the CISO, overpayments can occur.
Ad hoc spending may be needed to address immediate threats, straining the budget and lacking a comprehensive long-term security strategy.
10) Maintain long-term focus: Short-sighted decisions may lead to neutral outcomes in the short term but catastrophic outcomes in the long term.
It is crucial to prioritize longer-term thinking, sustain work on difficult problems, and align security priorities with the organization’s strategic objectives.
To mitigate these hidden costs and manage the security budget effectively, CISOs should carefully assess costs, negotiate with vendors, validate existing solutions, and align security priorities with the organization’s strategic objectives.
Regular evaluations of security investments and comprehensive reviews of current providers can help ensure cost-efficient and effective security coverage.
Link: https://www.csoonline.com/article/655295/beware-the-cost-traps-that-can-strain-precious-cybersecurity-budgets.html