Budgets wasted on redundant security services and products
On the topic of redundancies, CISOs can often end up paying for tools that do not deliver the expected benefits, significantly impacting their security budgets and coverage plans. CISOs may encounter scenarios where they invest in security tools or technologies that, despite their initial promise, fail to provide the anticipated value or return on investment (ROI), says Paul Baird, chief technical security officer at Qualys.
This could happen for several reasons, including inadequate integration with existing systems, limited user adoption, or the tools not effectively addressing the organization’s specific security needs. Such investments can strain the security budget and divert resources from more effective security measures, ultimately undermining the organization’s overall cybersecurity posture.
“I have seen CISOs find line items on their budgets where the tools are either shelfware or are not being used to their full potential,” Baird says. “The problem here is that we are running fast to keep up with threats and prevent attacks, and that makes it hard to get ahead of problems.”
Determine whether an existing solution is the answer before buying new
CISOs have a history of expense-in-depth purchasing where they renew tools and buy new ones without validating the use case and checking to see if an existing solution already addresses a risk, says Rick Holland, CISO at ReliaQuest. This results in a sprawl of redundant and potentially unnecessary security controls that complicate security operations. Firms need to reconcile all investments to ensure they are relevant to the organization’s threat model and minimize risk, he adds.
“For example, do you need to renew a cloud-based distributed denial of service (DDoS) mitigation service if you aren’t in a vertical where website availability is critical to generating revenue? Is the DDoS attack likelihood and impact low enough that limited resources could be directed elsewhere?”
In Honan’s experience of reviewing security tools in organizations, often two or three products have been implemented simply because the organization did not know all the features they required were available in the original product they purchased. For example, many modern operating systems come with built-in security features, such as disk encryption, which if implemented could remove the requirement to have third-party solutions, he says.
“Investing in a product engineer to review your configurations and ensure you have the solutions implemented properly could save the CISO from buying another tool and the related costs associated with integrating and managing it,” Honan adds.
Vendor lock-in creates perpetual misspending
Another cost trap that some CISOs may stumble into is vendor lock-in. The investment in money, time, and resources to get a solution to work effectively can eventually turn out to be significantly higher than initially expected. This can then lead to the CISO being reluctant to move to an alternative product or platform as they may feel that investment will be lost or that the cost of the migration would be prohibitive.
“This can be particularly true when a security function or process has been outsourced to a third party or to the cloud, leading to longer ongoing higher costs despite more cost-effective solutions being available,” Honan says.
Hidden costs can also creep in when a CISO picks up a cross-cutting, center-led “initiative” for which they hold the purse in terms of implementation and day zero costs on the promise that “if it works, we’ll integrate into business budgets,” says Watts.
“That then becomes an enduring business-as-usual activity, by which time reflowing the run costs across the business is a conversation nobody wants to have, so it sits on the CISO budget line causing them an annoyance, especially if it really doesn’t fit the profile of a central security cost.”
Misaligned business priorities trigger security overpayments
A misalignment of organizational priorities can challenge CISOs, potentially leading to overpayments. This misalignment typically occurs when the strategic objectives and perspectives of different stakeholders, including senior leadership and various departments, do not align with the CISO’s cybersecurity priorities.
“When such misalignment occurs, it can result in disputes over budget allocation,” says Baird. CISOs may have to justify their budget requests in competition with other departments’ demands, potentially leading to compromises that may not adequately address the organization’s security needs, leading to ad hoc spending in response to security incidents or breaches.
“Organizations may allocate resources reactively to address immediate threats, often incurring premium costs. This reactive approach can strain the budget and may not provide a comprehensive and cost-effective long-term security strategy.”
Sometimes both companies and security leaders are short-sighted in this regard, taking the easiest path for a quarter, which may have neutral outcomes over a year, but catastrophic outcomes over a half-decade, says Manrod. “If we want to solve this problem, we all need to lean toward longer-term thinking.”
Of all the factors that have helped to make a lot of improvements to a security program, one of the most significant has been staying at the same company with the consistent and unwavering support of other leaders for a long time, allowing runway for sustained work on the difficult problems that often go unresolved, he adds. “Are any of us assured success? Not at all. That said, I would like to think we all strive to accomplish the most risk reduction possible, for every investment level.” CISOs need to align their security priorities with the organization’s strategic objectives and regularly evaluate the performance of security investments to ensure that resources are allocated efficiently and that security coverage plans are effective and cost-efficient.