Sometimes executives cut off communications with their IT/security staff because they seem to want to spend more money on IT solutions. While IT costs can be high, it is not always the case that building better security requires a layout of significant cash. In fact, it is possible to deploy reasonably resilient security without an overly burdensome security budget. We simply need to look for methods, techniques and tools that are less expensive and that take advantage of existing knowledge and technology.
Use What You Already Have
It is all too common to think it is necessary to purchase new — and often expensive — equipment to improve security. This is usually not completely true. There may occasionally be some new security technology that is unique and only available at a significant price. But this is not as common as some IT security staffers might wish the C-suites to believe. Usually, software patches, firmware updates or hardware component swaps would provide sufficient improvement in security performance. A solid security infrastructure can be constructed with just a firewall, IDS and anti-malware, along with authentication, authorization and auditing. Always attempt to improve the function or benefit from existing technology rather than seek to purchase new.
Don’t Just Go for Cheapest
When new hardware or software needs to be purchased, don’t automatically choose the least expensive, the most expensive or the newest technology. Instead, consider how easily the existing IT security staff can adapt, implement and manage the new security product. If the new item is far outside the existing knowledge base or experience, then the organization will also need to spend on education and will have to wait out the learning curve. Consider new products that fall within the IT security staff’s existing expertise and experience. This will allow faster implementation and a shorter time to reaping the security benefits of a new product.
Implementing a new solution does not always require high expense. There are many free and open-source security solutions that should be considered as well. Often, open-source solutions can operate on less expensive or older hardware while providing capability and security equivalent to many commercial options. Open source is not always going to provide the best solution, it might not even provide your organization with a viable option. However, it is important to at least consider open-source solutions when a solution survey is performed. Skipping open source for an odd reason, such as there is no dedicated technical support, because there is no-one to sue, or because of the belief that anything good has to be paid for, is just silly and short-sighted.
When new capabilities are needed, when new work tasks are required, when higher capacity is mandated, don’t immediately assume that the only solution is to purchase new equipment. While this may be the case in some situations, it is not always true. In fact, repurposing older hardware is often the most cost-effective option when upgrading is needed. Many general purpose computers, such as servers and desktops, might not offer the performance needed by the latest commercial operating systems, but they might be more than sufficient for open-source solutions, especially those based on Linux.
Train Personnel vs. Hire New
Another big security expense is that of personnel. And while it may seem obvious to hire trained and experienced security experts, not every member of your IT security team needs to be a top-tier professional. Many organizations who already have high-level security experts on staff can fill out their need for manpower with less expensive personnel, such as interns or those just entering into the industry. They might require a bit more initial on-the-job training, but this will be a minor expense compared to their salary and benefits for the first few years of their employment.
These are just some of the topics that C-suite members and IT security staff should discuss in relation to improving security. With these techniques and tips, many organizations can develop and deploy solid security. Some of these methods will reduce costs, while others simply make better use of funds or previous investments. The goal is to gain the best security result for the least cost, not to justify the reduction of the security budget. Security is too essential of a business component to cut corners. We need more intelligent security implementations, not just less expensive ones.