Imagine paying for a small lock on your house every year. Burglars continue to break in despite what you think is a strong security deterrent. You spend the same amount every year on this inadequate security despite the different products on the market that promise to protect your home better.This is what some security experts believe enterprises are doing on a larger scale. Those on staff who are doing the budgeting might blindly write the same amount into the security line every year. Or the C-suite might handcuff the security personnel with a tight budget that doesn\u2019t allow for expansion into new security products.Mike D. Kail, Chief Innovation Officer at\u00a0Cybric, said the topic of increasing cybersecurity budgets seems to be in the news every day, but unfortunately there also seems to be a large-scale breach to match that. \u201cTactical purchasing of point-solution tools is not helping, and CIOs\/CISOs need to start investing in strategic platforms and frameworks."451 Research found a misalignment between current threats and the appropriate defenses needed to truly protect an organization\u2019s assets from compromise. To the extent that security spending continues to increase each year, a defensible argument could be made that, at worst, much of that money is being wasted or, at best, not adequaetly allocated.\u201cSimply put, as our corporate boundaries become increasingly porous and our resources are on the move, traditional endpoint and network security approaches are no longer sufficient in and of themselves,\u201d 451 writes in its report.Dan Burke, vice president at Globalscape,\u00a0said the issue is a version of \u201cif it ain\u2019t broke, don\u2019t fix it,\u201d but the problem is that too many organizations don\u2019t know that their security is vulnerable. They may have even been breached, but simply don\u2019t know it yet.The threat environment is sophisticated and constantly changing, requiring that companies constantly adjust the layers of their security architecture based on new and evolving threat vectors and actors, Burke said. Companies may still be relying on traditional firewalls even as more employees and systems go mobile or as workloads move to the cloud; running antivirus with the belief that it will stop sophisticated attacks or phishing.\u201cThen there\u2019s the risk in trying to squeeze a few more miles out of obsolete tech, like an unsupported OS or unpatched applications,\u201d he said.Nir\u00a0Polak,\u00a0CEO and co-founder of Exabeam, said, "We have not seen a period where security teams are as hamstrung by legacy costs as they are today. This is primarily because effective analytics requires data capture, and all of the leading solutions for data collection and search are priced based on the amount of data collected. This didn\u2019t matter so much 10 years ago, but as the volume of generated security has grown, data management costs have overrun security budgets."Javvad Malik, security advocate at AlienVault, said enterprises are often poor at removing security products that are no longer needed. Although, given the number of legacy systems in use, it's a problem that extends beyond security.\u201cShelfware is a problem in security,\u201d he said, referencing research he presented at RSA a few years ago.\u00a0\u00a0\u201cIt showed that many enterprises purchase security products but then never actually properly implement them and leave them on the shelf. Many times, blinded by shiny new products, enterprises can overlook the capabilities already present within the products they have. So rather than buying another tool, it's better to trim and streamline the existing portfolio.\u201dMike Eisenberg, vice president of CISO Services at Optiv Security, concurs. \u201cWe definitely\u00a0see organizations that have bought a product, say, six months ago, and it hasn't even been taken out of the box. Or, if the product has been implemented, it's not being used properly. And, even if it\u00a0is being used properly, the organization is not tracking its effectiveness. This leads to products becoming outdated or just plain ineffective. You can see where resources are being wasted and how security programs suffer.\u201dResearch from 451\u2019s Voice of the Enterprise survey on cloud computing shows that the security tools that are most important in the \u2018old world\u2019 \u2014 firewalls, anti-malware, etc. \u2014 are less relevant in the cloud.Sam Curry, chief product officer at Cybereason, says security is like the growth of a coral reef over time with new growth happening on the calcification of older coral.\u00a0The whole pushes out over time with the volume growing.\u00a0\u201cHere\u2019s how a typical CISO plans a budget: someone from the CFO\u2019s office says 'time to do your budget for next year, so I took your spend from this year and moved it forward ... and you have to cut x percent' and then the negotiations start.\u201dSecurity products have technical debt to address, he said, and have to add new \u201centerprise features\u201d and facilitate what he calls \u201csecurity hygiene\u201d more and more (like aiding audit policies, supporting new platforms, checking for security policies on authentication attempts or logging and so on).\u00a0\u201cMeanwhile, the bad guy is adapting and finding ways around this.\u00a0The net result is that the older security products aren\u2019t innovating and tend to become more security hygiene focused and part of the legacy, statutory spend,\u201d he said.The newest tools are those that are at the cutting edge of stopping bad guys. The struggle for the CISO is to free up discretionary money to make some bets on these high-risk tools. \u00a0\u201cThe best CISOs are the ones that put pressure on the low-value, high-cost incumbents to make a few bets on new, cutting edge, less mature offerings that can actually stop bad guys,\u201d Curry said. \u201cCommodities should experience tremendous price pressure, so ignore brand, ignore hype, ignore the footprint they have in your IT environment and put them through the grinder to make the spend proportional to the value and make more bets on the new, young, colorful coral growth in the security game.\u201dRichard Henderson, global security strategist at\u00a0Absolute, said security spending decisions aren\u2019t always clear cut. "While in some rare highly-publicized exceptions in high finance, where security staff have been told they have a virtual blank check for security tools, enterprise security teams have limited budgets and have to pick and choose how their dollars are being spent.\u201d"The real question that CSOs and CISOs need to answer is how effectively the budgets they have are being spent. Would the hundreds of thousands of dollars they spent on a best-of-breed tool have been better spent on another tool from another vendor that may not have scored quite so high on Gartner\u2019s Magic Quadrant, but integrates much better and easier with their current security infrastructure? How much extra cash is it going to take to get an existing team up to speed on deploying, monitoring, tweaking, and tuning the new shiny tool? What\u2019s going to deliver better long term return on investment?" he said.Yitzhak (Itzik) Vager,\u00a0vice president of Product Management and Business Development at\u00a0Verint Systems, said many companies tend to spend too much time and resources on selecting best-of-breed point tools, without taking into account how they fit in and work within their existing security infrastructure.\u201cFighting today\u2019s sophisticated threats requires a holistic approach. Companies are better served if they invest in a unified platform integrating multiple tools to provide complete visibility across the threat chain. Even better, the platform will be completely automated, more quickly detecting, investigating, and halting most attacks, allowing cyberanalysts to focus on stopping more complex attacks,\u201d Vager said.Simon Taylor, vice president of products at Glasswall, said the larger corporations are caught in a cycle of security spending that they can't break.\u201cDespite the industry\u2019s own admission that they cannot prevent a zero-day attack and that the cyber criminals are always one step ahead, no one wants to be the C-level executive that turns off the current failing border security. In fact, the trend has been to add \u2018more bricks in the wall,\u2019 or layers of security in the hope that at least one of the products can prevent a targeted attack,\u201d he said.The trend has been to add \u2018more bricks in the wall,\u2019 or layers of security in the hope that at least one of the products can prevent a targeted attack.Simon Taylor, vice president of products at GlasswallWhile there is complacency in some sectors at the board level, Taylor said, change is coming in the EU with the impending General Data Protection Regulations taking effect in 2018 and the recent announcement of tighter cybersecurity regulations affecting the financial sector in New York State. \u201cIf the businesses don\u2019t get their act together fast enough, regulators on both sides of the Atlantic will be forcing the issue,\u201d he said.Markus Jakobsson, chief scientist at Agari, said there are several reasons why enterprises are not updating their security technologies at a fast enough rate. There is a lack of prioritization and awareness across the C-suite about today\u2019s security risks and the technologies needed to address them. Updating a company\u2019s technology is a big process and financial investment, so all company executives need to be on board and champion these initiatives from the outset.\u00a0\u201cThere is also a lot of reluctance from enterprises with changing their security technologies because their strategies are negatively reinforced. If a company has never suffered a breach, their technology must be working, right? Why change it?\u201d he said. \u201cThis type of attitude is extremely dangerous given today\u2019s rapidly evolving threat landscape. It\u2019s not a matter of if, but when, a company will suffer an attack.\u201dAjit Sancheti, CEO and co-founder of Preempt, said "If you assume that most enterprises have been breached, then security strategies have to include spending on software that can identify threats on the internal enterprise network. Many security professionals believe they can identify and prevent these threats at the perimeter and are focusing their budget there. That strategy is flawed. One breach can negate all of that spending."Jason Macy, CTO of\u00a0Forum Systems, said too many enterprise organizations are committed to a legacy posture and an umbrella approach to cybersecurity. \u201cThreat vectors have completely evolved and today\u2019s defenses require both perimeter and internal security. While traditional solutions are a component of an overall cybersecurity strategy, a reliance solely on legacy technology puts organizations, customers and partners at substantial risk,\u201d he said.If a technology \u2014 such as antivirus, firewall, IDS, SIEM, access control, vulnerability scanner \u2014 hasn\u2019t changed in a decade, what chance does it have to actually stop a modern threat, Curry asks. And at what point does carrying the massive weight of the security hygiene products actually create too much noise, distraction, blind spots and false security? \u00a0Has cloud changed the security spending landscape?While the experts CSO Online consulted mainly agree that the traditional enterprise network needs to be maintained, there is also the move toward spending on the cloud and services. In many cases IT staffs must try to bridge the old and new. \u00a0The IDC survey \u201cSecurity Survey Analysis: Growing Interest in Data Security, Endpoint Security, and Network Security Products\u201d looks at the conundrum facing security pros."It\u2019s not that the security buyer is stuck in the past; it\u2019s that they are forced to maintain existing architecture while developing a security story for the future. Given that budgets aren't growing lock-step with digital transformation,\u00a0it\u2019s an unenviable task to find ways of securing new architecture and service delivery models," said Sean Pike, Program Vice President, Security Products and eDiscovery\u00a0Information Governance at research firm IDC.John Morello, CTO at Twistlock, agrees that the cloud and Devops are changing enterprises\u2019 operational approaches and technical architectures, but many organizations haven\u2019t adapted their security spend to align with these trends. Instead, many organizations are locked into multi-year support agreements for perimeter firewalls and traditional desktop anti-virus that are largely irrelevant in a world where apps and data mostly exist outside the network.\u00a0Rohit Sethi, COO of Security Compass, thinks the bigger story around misaligned budgeting is that companies are allocating 4 percent of their budget to application security but security of their software \u2014 including that built by third-party vendors \u2014 is one of the largest risks according to the Verizon Breach report. \u201cBroad information security framework and compliance standards pay scant attention to application security which may be, in part, driving this budget allocation.\u201dPaul Querna, CTO and co-founder, ScaleFT, said security budgets have traditionally focused on protecting the perimeter, however the rise of cloud computing and the mobile workforce have broken down those walls. Companies that have recognized this have begun their own security transformation, redesigning their architecture from the inside out. This means that the spend will shift away from traditional products such as VPNs and firewalls to more cloud native solutions.Not surprisingly, when vendors were asked what security technologies that were being underspent, they quite often cited the market their product lies in.Todd Feinman, CEO at\u00a0Spirion, said many budgets still have at least a small component of expense associated with security solutions indicative of older and outdated security methodologies.\u00a0One example is traditional Data Loss Prevention (DLP) intended for data-in-motion network blocking.\u00a0\u201cThis approach is very focused on the perimeter and has not stopped data leaks consistently because it does not solve the root cause of the data loss problem \u2013 which is workstations and servers storing at-risk sensitive data.\u00a0This traditional DLP approach is also error prone because it trades off accuracy in the form of false positives to achieve necessary perimeter data scanning speed,\u201d he said.Newer approaches emphasize using technology to discover where sensitive data lives \u2013 data that, if leaked, would cause reputation and\/or financial damage.\u00a0Sensitive data discovery solutions can also be complemented by automated classification solutions to tag data so it persistently identifies itself as confidential.\u00a0Leveraging the discovery results ensures accurate classification without human involvement.\u00a0Newer content management and endpoint protection solutions can then block confidential classified data with extremely high precision and help employees and organizations understand, control and protect their data better.Ron Winward, security evangelist at Radware, said organizations feel that protecting data-at-rest is the most effective way to prevent a breach, yet it\u2019s what they spend the least amount of money on. But are organizations really forsaking data-at-rest protection when they spend on network and endpoint solutions? Not exactly, he said.Breaching an endpoint is a perfect way into a network, where once you\u2019re in, your activity is masked to look like it\u2019s coming from what are usually trusted IP addresses, he said. Endpoint security continues to be a critical part of protection strategies.Network-based protection is also critical, but what has changed over the years is the level of protection that you can get, he said.\u00a0First, anything at a perimeter that can dynamically track behaviors \u2014 including encrypted sessions like SSL\/TLS \u2014 is a critical aspect of protection, especially as the majority of internet traffic moves to encryption.\u00a0But these devices are also starting to include data and other multi-threat protections in them \u2014 even at the border.\u00a0There is also a tremendous amount of end-of-sale\/end-of-life security equipment in the field, which organizations are refreshing now.\u00a0The difference, though, is that many of the new devices going in, like Next Generation Firewalls (NGF), would be classified as \u201cnetwork\u201d devices, but are also capable of doing other services. Another obvious place to protect data-at-rest is with a Web Application Firewall (WAF) that can be placed in front of public-facing servers (or via cloud) and dynamically watch for misbehavior that can lead to breaches.\u201cWhen you break it down, there are many data-at-rest protections built into devices that might be classified as network or endpoint solutions. And buyers are concentrating spend here because they\u2019re getting more for their dollar,\u201d Winward said. \u201cAs organizations decide where they spend their budget, network devices like perimeter protection and\/or WAF could still be the best solution because of those advancements.\u00a0But the key is that the solution needs to be behavioral in order to properly protect them.\u00a0Attackers are creative and the only way to stay ahead of changing threats is with behavioral, algorithmic responses.\u201dLayering more and more of the same type of products at the gateway does not incrementally increase the level of protection simply because traditional security products operate much the same way, eventually causing the costs to outweigh the returns on investment, Taylor said.He continued that many corporations believe that the only alternative to traditional antivirus is sandbox technology, which can be expensive, resource hungry and difficult to manage in terms of threat reporting, as well as easily compromised.\u201cIf border and desktop protection is failing, what\u2019s the alternative? Cyber threats are not going to go away, we are dealing with a new frontier that is agile, well-funded, highly skilled, and for all intents and purposes, \u2018only has to get it right once\u2019 to compromise an enterprise,\u201d Taylor said.Rich Campagna, vice president of product at\u00a0Bitglass, said, Mobile Device Management (MDM) is one area where companies are spending on outdated security solutions. Current MDM tools are a good fit for managed devices, but changes in employee behavior and the move to cloud apps has led to a popularity of bring your own device (BYOD) programs. Control-oriented MDM tools have limited applicability for BYOD, primarily due to employee privacy concerns and complexity of deployment.John Michelsen, CPO at Zimperium agrees that a focus needs to be placed on mobile. "Mobile is a clear area of vulnerability and yet many companies don't budget appropriately for mobile security\u00a0until they are exposed to the reality of the threat.\u201dHe said there is\u00a0still a misconception that MDM will stop a hacker when it stops your own employees, not bad guys.\u201cMany of our customers have started by deploying zIPS [Zimperium's mobile intrusion prevention system app] into a pilot group to gather data on how vulnerable, at risk they really are. Once the lights are turned on and they see the reality, they quickly find budget and deploy to the rest of their devices,\u201d he said.Compliance is to blameSecurity budgets are often closely tied to compliance and risk analysis that place too much emphasis on outdated sets of controls, said Jason Luce, CEO and co-founder, ScaleFT. \u201cWe know this because every week we read about another major incident in the news where it was likely that rubber stamp compliance was in place. IT departments within these companies who are actually responsible for implementing security measures are well aware that the world has changed around them, but are stuck checking off compliance boxes.\u201dMalik notes four approaches to security spending:Benchmark-driven (i.e., what is everyone else doing?)Compliance-drivenMetric-drivenEvidence-driven\u201cThere is no right or wrong security product investment strategy. However, companies should identify the risk they can believe in, then find the evidence that they are addressing those risks, ideally with a security platform that can address a multitude of risks in one offering, as opposed to investing in a separate point solution to address each individual risk,\u201d Malik said.Kris Lovejoy, CEO at BluVector, said there is a shift away from data-at-rest solutions because the market is fragmented. CISOs are tired of buying \u201csilver bullets\u201d that not only don\u2019t work as advertised, but completely \u201cdisable\u201d business innovation. Anyone who has been on the other end of the \u201cinnovation vs. security\u201d discussion knows who wins. This, combined with reality that \u201ccompliance\u201d is no longer an excuse on which you can write a business case, means data security has become decidedly unsexy, she said.With compliance also comes a call from the boardroom to follow standards and stay within budget. Taylor said business leaders need to accelerate the process of addressing cyber risk in the boardroom while applying proper management procedures as to how they will manage risk going forward. Among other things, this will involve setting a \u2018new baseline\u2019 for defense.\u00a0\u201cThey will need to fill the gaps in security at a new level, not more of the same layered security at the border, including ensuring the security of documents, which are the lifeblood of a company and the biggest threat vector for malware, particularly ransomware threats,\u201d he said.ThreatConnect CEO Adam Vincent said one culprit of this issue is the\u00a0lack of communication, or\u00a0fragmentation, between cybersecurity tools. While it can take mere minutes for an adversary to compromise a network, it can take an organization days, weeks, or more to detect it due to security tools not accurately and efficiently communicating."To reduce fragmentation and close\u00a0the detection\u00a0gap, companies need to\u00a0focus\u00a0their security investments into uniting people, processes\u00a0and technologies in one place. Intelligence-driven cybersecurity platforms make this possible by eliminating silos, while also ensuring that threat intelligence information is shared\u00a0efficiently between tools and teams\u00a0to improve response times and even predict attacks.\u201dWhat you should doIt is not necessarily about buying one type of tool vs. another, but more about making sure that all tools serve the purpose of reducing risk, and that they are comprehensively implemented across the organization, said Mike Donaldson, solutions specialist at Bay Dynamics.\u00a0\u201cOftentimes, tools are selected for technical prowess, but without an eye towards how they fit together in the ecosystem to protect the business. Similarly, even tools purchased with the best of intentions, are left only partially implemented because of organizational changes, technical or political hurdles, or good old inertia,\u201d he said.There is not a \u201cone size fits all\u201d recommendation for the effectiveness of existing security tools and controls, what tools should be implemented next, or what controls can have exceptions. Therefore, purchasing decisions must be made based on the relationship of business objectives and security posture, what assets have the highest business criticality and value, and what mitigation is needed to make sure those assets are not compromised in light of existing threats and vulnerabilities.He adds that companies should focus on ensuring that their current security tools are maximized for value and effectiveness. Often security tools sit in siloes, each one producing various outputs that separately paint a very different picture of residual risk and security posture across individual assets as well as across various business units. This makes it very difficult for security teams to quantify risk and prioritize alerts, incidents and findings. Companies need to bring together their security tools and translate the information coming from them into one picture that explains their most significant risks and actions to take that reduce that risk exposure.\u00a0\u201cUltimately, all the fundamental security tools are needed. However, what\u2019s most important is to leverage a risk-based approach against business objectives to determine what order to implement the tools, what level of protection is necessary by asset criticality and value, and then taking measures to normalize the information outputs of disjointed tools and group them by specific risks so that a centralized and comprehensive view of cyber security posture is available and real time residual risk can be tracked and managed,\u201d he said.Eisenberg stressed the importance of endpoint security. \u201cSecurity doesn't begin and end at the office. It doesn't matter if you have the best network security systems and practices in place if that laptop or smartphone is taken home or on the road and has potential for compromise.\u201dHe advises organizations to spend more on advanced malware protection, with a heavy focus on cloud security, third-party risk management, endpoint security, and identity and access management. A holistic solution \u2014 from program to product to implementation and beyond \u2014 is the key to a better security program.Enterprises should be focused on maintaining and keeping up with the current core infrastructure as their priority, said Chris Camacho, chief strategy officer at Flashpoint. Companies should start with networking equipment and ensure no products are end-of-life or no longer supported. If this is the case, then replacement of these devices should be prioritized and the devices should not be used. After ensuring core network equipment is covered under maintenance, pay the vendor the money required to get the license and support updated and apply all patches and upgrades. \u00a0\u00a0After taking network inventory do an architectural assessment on what you currently own. Is it time to look at next-generation firewalls? Do a cost analysis on current devices and spend and determine if managing a single vendor that provides multiple defense-in-depth services would save money in the long run, he said.451 says look for data security tool sets that offer services-based deployments, platforms and automation that reduce usage and deployment complexity for an additional layer of protection for data.Most companies don\u2019t really understand how hackers operate and haven\u2019t quantified their risks or how secure they are, said Guy Bejerano, co-founder and CEO of SafeBreach. \u201cAs a result, they keep buying new security products that they believe will protect them from advanced threats. In fact, some financial organizations\u00a0have a 'no\u00a0vendor\u00a0left\u00a0behind' policy where they select multiple\u00a0vendors\u00a0providing the same security technology, presumably to increase the odds of success.\u201dInstead of a \u201cproduct-centric\u201d security strategy, what organizations need is an \u201cadversary-centric\u201d strategy, he said. By understanding the hacker\u2019s perspective, motivations and techniques you can continuously validate whether the security controls in place can actually stand up to the most likely breach scenarios.David Baker, vice president of operations at\u00a0Bugcrowd, believes the best defense is a good offense. "Spending money on an offensive testing strategy is a more efficient strategy from a budget and resource perspective. Organizations should consider starting at the front lines, training staff on appropriate security behavior and even doing some active social engineering testing. Moreover, organizations can train and test technical teams \u2014 engineers, developers, and IT \u2014\u00a0on good platform and configuration security behaviors through continuous proactive testing of applications and systems."Jakobsson feels as though one area that can be shored up is email. He said email is the primary channel for 95 percent of cyberattacks. Yet, while many companies have correctly identified targeted email attacks as their primary concern, they are still relying on traditional security technologies such as spam filters, which neither detect nor prevent these types of email attacks.\u201cAs a result, these companies are spending time and money on employee awareness training, which is rarely effective and even reduces business productivity, as employees are expected to analyze every one of the hundreds of emails they receive every day. Instead, these companies should be recognizing that their primary protection technology does not address their primary concern very well,\u201d he said.He said it\u2019s essential that companies prioritize threats on a sliding risk scale and adopt, and potentially swap out, technologies according to their budgets. \u201cToday, however, companies aren\u2019t doing this. For example, many companies do not correctly take loss and risk into consideration,\u201d he said.Henderson doesn\u2019t think companies are spending nearly enough on advanced training on their security staff. \u201cEmpowering your security teams to learn to use the tools they\u2019ve already deployed at an expert level can improve your overall time to detect and remediate an issue, and build better job satisfaction and loyalty. It\u2019s no surprise to anyone that good staff are hard to find and even harder to replace, so if you don\u2019t have a set amount of cash set aside in your budget to keep those people happy\u2026 they\u2019re going to look for greener pastures elsewhere. This is the reality in today\u2019s cyber security job market."Add your comments on budgeting to our Facebook page.