Recent data paints a conflicting picture in relation to cybersecurity budgets. Some research indicates that budgets are increasing healthily with CISOs eyeing up their next spending sprees. Other studies suggest security budgets are tightening or even being slashed despite previously being approved, hamstringing security strategies and creating risky blind spots.\n\nSeveral factors such as company size and sector undoubtedly play a role in the inconsistencies, but regardless of whether a CISO\u2019s funds are plentiful or sparse, the opportunity to save money by avoiding hidden, unnecessary costs is surely universally welcome.\n\nSecurity investments can come with cost traps that aren\u2019t always obvious but eat into security leaders\u2019 precious funds over time, without them ever realizing. These range from costs that are discernible with the right knowledge to others that are somewhat surprising, even for the most weathered of CISOs.\n\nCISOs struggle with charging structures of security products and services\n\nA lot of CISOs struggle with intricacies in the charging structures many security vendors have around their products. \u201cMany products now have charging structures that are very complex, and while the basic version of a solution may look relatively attractive, it is not uncommon that the more advanced features \u2014 often the features the CISO requires \u2014 are charged at additional rates,\u201d Brain Honan, cybersecurity consultant and member of the European Union Agency for Cybersecurity (ENISA) advisory group, tells CSO.\n\nThis can be quite common with security information and event management (SIEM) or security operations center (SOC) solutions where the initial purchase of the tool or platform is relatively cheap, but as the amount of data stored, events tracked, traffic analyzed, or endpoints monitored increase, there can be significant jumps in the associated pricing, he adds.\n\nThese additional overheads in security products and services can include licensing, maintenance, and support costs too. \u201cI have heard of CISOs covering more motor functions of security such as SOC and infrastructure, finding they were holding onto support and maintenance costs that should really have been sitting under the CIO\/CTO, particularly if the budget lines are fairly closely coupled,\u201d says Paul Watts, distinguished analyst at the Information Security Forum (ISF).\n\nReview third-party costs carefully\n\nBefore deciding to buy any cybersecurity service or engage with a third party, CISOs should enquire about and carefully assess all of the potential additional costs associated with its use. \u201cThis is a matter of refining vendor engagement and negotiation strategies to pay the lowest reasonable price for products and services,\u201d Mike Manrod, CISO at Grand Canyon Education, says. In particular, there should be a lot of room to negotiate when a product is a net-new add, a new relationship, and\/or a scenario where the cost involves intellectual property more than physical products.\n\n\u201cFor services, the ultimate hack is to insist that every new product comes with plenty of professional services to implement it, then have your most promising people drive the session from their keyboard with the professional services engineer telling them what to do,\u201d Manrod says.\n\nThen put that person on point with supporting that product and solving the issues thereafter, and if you pick the right person, they will be an expert, he says. \u201cOnce this is done, have them train a backup and create a culture for documentation and sustained knowledge transfer. It would not even be appropriate for me to say how much money this has saved us over the past 6.5 years I have been in this job.\u201d\n\nAnother consideration can help negotiate more reasonable prices on novel security products, according to Manrod. \u201cFor example, when some remote browser isolation vendors quoted absurd prices, we explained in detail how we could build our own and create a GitHub project to make it free for others if we dedicated CapEx hours equal to what they were charging.\u201d This was a very salient reality check to the vendors and the pricing became more reasonable, he says.\n\nInternal running costs are often overlooked\n\nThe intricate cost structures of security products and services are just one piece of the potential hidden costs puzzle. Another thing to consider is the internal cost of running them effectively, which is often overlooked. Take SIEM as an example; it is clearly an effective tool, but there will be a large volume of data to manage and keep for compliance purposes, requiring significant storage and time investment, Dave Allan, member of CREST\u2019s UK Council, tells CSO.\n\n\u201cIt is also important to consider things like staff training, maintenance, adding users, and dealing with false positives \u2014 all things that may not be included in the initial cost analysis,\u201d he says.\n\nPenetration testing services and open-source solutions are other good examples. When using penetration testing, it is critical to also consider the time and resources required internally, the cost to the business of any potential downtime, the time required to analyze reports, and the costs of implementing any required security measures, Allan says.\n\nOpen-source solutions, while often touted as a cost-effective alternative to commercial tools, do not necessarily result in cost savings for the cybersecurity team either, Honan adds. \u201cThe ongoing costs of implementing, managing, integrating, and supporting the solution can often lead to unexpected costs in recruiting individuals with the required skills or to engage with external expertise.\u201d\n\nOverlapping services and duplicate functions needlessly strain budgets\n\nOverlapping services that duplicate functions are another common overspend that can eat into security budgets. \u201cPaying for these duplicate security functions can be financially inefficient and strain the budget,\u201d says Nick Trueman, CISO at cloud services provider Nasstar. It can also result in integration challenges whereby coordinating and integrating multiple providers with similar functions leads to complexities and interoperability issues, he adds.\n\nCISOs should conduct a comprehensive review and identify all current security providers and the services they offer. \u201cEvaluate their effectiveness and whether they align with the business\u2019s security requirements,\u201d Trueman says. If duplicate functions are identified, consider consolidating services under a single provider or negotiate with providers to eliminate redundancies.\n\nBudgets wasted on redundant security services and products\n\nOn the topic of redundancies, CISOs can often end up paying for tools that do not deliver the expected benefits, significantly impacting their security budgets and coverage plans. CISOs may encounter scenarios where they invest in security tools or technologies that, despite their initial promise, fail to provide the anticipated value or return on investment (ROI), says Paul Baird, chief technical security officer at Qualys.\n\nThis could happen for several reasons, including inadequate integration with existing systems, limited user adoption, or the tools not effectively addressing the organization\u2019s specific security needs. Such investments can strain the security budget and divert resources from more effective security measures, ultimately undermining the organization\u2019s overall cybersecurity posture.\n\n\u201cI have seen CISOs find line items on their budgets where the tools are either shelfware or are not being used to their full potential,\u201d Baird says. \u201cThe problem here is that we are running fast to keep up with threats and prevent attacks, and that makes it hard to get ahead of problems.\u201d\n\nDetermine whether an existing solution is the answer before buying new\n\nCISOs have a history of expense-in-depth purchasing where they renew tools and buy new ones without validating the use case and checking to see if an existing solution already addresses a risk, says Rick Holland, CISO at ReliaQuest. This results in a sprawl of redundant and potentially unnecessary security controls that complicate security operations. Firms need to reconcile all investments to ensure they are relevant to the organization\u2019s threat model and minimize risk, he adds.\n\n\u201cFor example, do you need to renew a cloud-based distributed denial of service (DDoS) mitigation service if you aren\u2019t in a vertical where website availability is critical to generating revenue? Is the DDoS attack likelihood and impact low enough that limited resources could be directed elsewhere?\u201d\n\nIn Honan\u2019s experience of reviewing security tools in organizations, often two or three products have been implemented simply because the organization did not know all the features they required were available in the original product they purchased. For example, many modern operating systems come with built-in security features, such as disk encryption, which if implemented could remove the requirement to have third-party solutions, he says.\n\n\u201cInvesting in a product engineer to review your configurations and ensure you have the solutions implemented properly could save the CISO from buying another tool and the related costs associated with integrating and managing it,\u201d Honan adds.\n\nVendor lock-in creates perpetual misspending\n\nAnother cost trap that some CISOs may stumble into is vendor lock-in. The investment in money, time, and resources to get a solution to work effectively can eventually turn out to be significantly higher than initially expected. This can then lead to the CISO being reluctant to move to an alternative product or platform as they may feel that investment will be lost or that the cost of the migration would be prohibitive.\n\n\u201cThis can be particularly true when a security function or process has been outsourced to a third party or to the cloud, leading to longer ongoing higher costs despite more cost-effective solutions being available,\u201d Honan says.\n\nHidden costs can also creep in when a CISO picks up a cross-cutting, center-led \u201cinitiative\u201d for which they hold the purse in terms of implementation and day zero costs on the promise that \u201cif it works, we\u2019ll integrate into business budgets,\u201d says Watts.\n\n\u201cThat then becomes an enduring business-as-usual activity, by which time reflowing the run costs across the business is a conversation nobody wants to have, so it sits on the CISO budget line causing them an annoyance, especially if it really doesn\u2019t fit the profile of a central security cost.\u201d\n\nMisaligned business priorities trigger security overpayments\n\nA misalignment of organizational priorities can challenge CISOs, potentially leading to overpayments. This misalignment typically occurs when the strategic objectives and perspectives of different stakeholders, including senior leadership and various departments, do not align with the CISO\u2019s cybersecurity priorities.\n\n\u201cWhen such misalignment occurs, it can result in disputes over budget allocation,\u201d says Baird. CISOs may have to justify their budget requests in competition with other departments\u2019 demands, potentially leading to compromises that may not adequately address the organization\u2019s security needs, leading to ad hoc spending in response to security incidents or breaches.\n\n\u201cOrganizations may allocate resources reactively to address immediate threats, often incurring premium costs. This reactive approach can strain the budget and may not provide a comprehensive and cost-effective long-term security strategy.\u201d\n\nSometimes both companies and security leaders are short-sighted in this regard, taking the easiest path for a quarter, which may have neutral outcomes over a year, but catastrophic outcomes over a half-decade, says Manrod. \u201cIf we want to solve this problem, we all need to lean toward longer-term thinking.\u201d\n\nOf all the factors that have helped to make a lot of improvements to a security program, one of the most significant has been staying at the same company with the consistent and unwavering support of other leaders for a long time, allowing runway for sustained work on the difficult problems that often go unresolved, he adds. \u201cAre any of us assured success? Not at all. That said, I would like to think we all strive to accomplish the most risk reduction possible, for every investment level.\u201d CISOs need to align their security priorities with the organization\u2019s strategic objectives and regularly evaluate the performance of security investments to ensure that resources are allocated efficiently and that security coverage plans are effective and cost-efficient.