The good news is that security budgets are rising broadly. The bad news? So are successful attacks. Perhaps that\u2019s why security budgets averaging $4.3 million this year represent a gain of 51% over the previous year \u2013 and that figure is nearly double the $2.2 million spent in 2010 \u2013 all according to our most recent Global Information Security Survey, conducted by PricewaterhouseCoopers.[Case study: Security on a shoestring budget]The question is, why? Why are security budgets rising but enterprises still are not getting the results hoped? \u201cMany organizations are infatuated with buying the latest trendy thing, whether or not it makes the most sense for their specific security posture,\u201d says Jay Leek, chief information security officer at The Blackstone Group.The 11th annual Global Information Security Survey of 9,600 executives also found that the number of organizations reporting losses of greater than $10 million per incident is up 75 percent\u00a0from just two years ago. The costs of these breaches also are rising, with data breaches up 9 percent in 2013 from 2012.One thing is certain \u2013 the organizations are not spending on the technologies and capabilities best suited to help spot advanced attackers, such as malware analysis with only 51% doing so, inspection of traffic leaving the network (41%), rogue device scaling (34%), deep packet inspection (27%), or threat modeling (21%).With all of this in mind, how do you tell if that increase in budget you received is being spent in the right areas?The right staffFirst up: make sure your team is well positioned when it comes to security staff."Figuring out if you are you understaffed or overstaffed can be tricky,\u201d says John Pescatore, director, emerging security trends, at SANS Institute. \u201cIf you have 10 firewalls, how many full-time equivalents does it take to manage them? If you have three people taking care of 10 firewalls, you either have really bad firewall managers or you should invest in a tool so that one person can manage those 10 firewalls,\u201d he says.One way to evaluate staffing is to look at how many full-time equivalents are in the security program as a percentage of total IT positions. Another is to compare your security\/general IT staff ratio with that ratio within your industry, and see how your security staffing stands in contrast to your peers, says Pescatore. \u201cThat\u2019s a good indication. Be sure to take into account how many full time equivalents may be in place through outsourcing arrangements, such as firewall management and monitoring,\u201d he explains.Understaffing of security professionals is likely to create a situation where the organization will end up pushing unsecured projects into production, unable to properly respond to incidents, or properly maintain a healthy security program. This means that those who are there will be constantly jumping from one emergency to the next.And when it comes to security budget spending, at least in the next few years, it would be wise to invest in people \u2013 while organizations still can find those who are qualified. According to a just-released study from IT certifications provider (ISC)2, about 2.25 million information security professionals were working worldwide last year. That figure is expected to leap to 4.25 million in two years. And (ISC)2 expects that there could be a 47% shortage of security professionals qualified to fill those positions.[How Colorado's CISO is revamping the state's information security -- on a $6,000 budget]Our own \u201cState of the CSO\u201d in 2013 found that this demand for skilled IT security professionals is already straining organizations' ability to attract top security talent. It is the larger companies that are most likely to increase their security resources, with 42 percent planning staffing increases, compared to 37 percent of midsize and 26 percent of small organizations. In fact, finding and retaining skilled IT security workers was identified among the greatest challenges for 31 percent of large companies.Out with the oldAnother way to maximize security budget is to make certain the budget is as aligned with current security demands and applications as is possible. \u201cWe see a lot of security shelfware out there,\u201d says Javvad Malik, security analyst at The 451 Group. \u201cIn a recent survey we conducted, not a single respondent said that they have a process in place to actually decommission old IT security products.\u201dPredictably, what ends up happening, year after year, is these enterprises acquire new security applications but don\u2019t decommission those in place, even though they\u2019re not in productive use. \u201cThey\u2019re scared that it might impact something, or fear it\u2019s too embedded into their processes even though they\u2019re not getting any value out of the application. They end up with all of this bloat that\u2019s just hanging around and costing them money,\u201d he says. While it may sound obvious, it\u2019s something many enterprises aren\u2019t doing: cull all of those security appliances and software apps that can be decommissioned.Avoid the shinyAndy Ellis, chief security officer at Akamai Technologies, says it\u2019s unfortunately all-too common for enterprises to buy security equipment that they don\u2019t have the expertise on staff to maintain, or they fail to set aside training budget. Before buying that SIEM, web application firewall, or malware forensics analysis software, Ellis has a set of questions that he says need to be answered.Did you have people who knew how to use the system?Were they able to apply themselves to installing, using, and maintaining, the system?Did the system actually have effect?While a negative answer would indicate an ill-thought purchase, an affirmative answer doesn't mean that the budget was wisely deployed. \u201cAt least you didn't just throw it away, but if you can't say "yes" to all three of those questions, then you've wasted your money. How many SIEMs are out there that don't actually do anything because there are no operators to tune them,\u201d Ellis says.Focus on the endgameBlackstone\u2019s Leek argues that for years now, many enterprises have been too spending heavily on defensive technologies and not enough on incident response. \u201cNo matter how much you spend on defense, and how good you are at defense, or how wise you are with your budget, there will be attacks that get through. And not enough companies have been investing in their response capabilities. As a result they have very little ability to respond when the inevitable happens,\u201d he says.[Hey CSOs: Suck it up and accept budget cuts]\u00a0With most enterprises spending a disproportionately low amount on response compared to defense, putting a good chunk of that budget increase toward response does sound like one of the best investments of all.George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.