Security is expensive, and many organizations are struggling to balance effective defensives with a tight budget. With these suggestions, you might be able to improve or maintain your security measures without breaking the IT budget.
1. Use what you Have - Many security professionals work by the philosophy that when a new security risk or threat is discovered, a new piece of equipment, software, or other countermeasure must be purchased. Usually, however, the proper solution is already in your toolbox and simply needs to be adjusted, more finely-tuned, or reconfigured. Try to avoid purchasing any new security tools until your options with existing technology have been fully explored.
2. Leverage Your Knowledge Base - If a situation arises that requires the purchase of a new product, stick to those that are already familiar to your team. If your staff is already comfortable with a certain brand, product line, operating system, etc., these should be considered before others that might be less expensive, discounted, or highly rated. This is because you will have to spend additional money to train staff before you can roll-out the new defense solution.
3. Consider the Use of Open Source Solutions - There has been a surge of activity in the open source community, and organizations large and small have benefited from the use of open source products. While an open source product may not always be the best or the right solution, it should at least be considered before making a costly purchase.
4. Re-Purpose Old Hardware - Most hardware made in the last five years can be re-used as a client or server system by using variations of open source platforms like Linux. Usually, hardware that struggles with minimum functions can easily perform high-end tasks when a low-horsepower Linux build is used.
5. Hire Interns Instead of Professionals - If you need to boost your staff head-count, consider hiring an intern or recent graduate in place of a highly qualified, experienced professional. If the position to be filled requires someone with more experience than an entry level staffer, promote from within, and fill the vacated spot with someone who is eager to learn but may need training and guidance. Not only do interns or recent graduates require a lower salary, they usually don't demand special bonuses or benefits. Plus, you can train them in the spirit of your company policy and culture without having to work against pre-established, misguided, or counter-productive habits or beliefs they may have picked-up at a prior job.
6. Review Your Policies - Every year you should review your security policy. Check to see if it calls for processes or solutions that are costly, and asses whether or not products selected last year have been surpassed by a competitor's solution that may work better and cost less. You might also find that if you add a component to one product, you can remove another.
7. Re-Assess Your Threats - Perform a yearly risk assessment to eliminate protections that are no longer required by threats that are not real or likely.
8. Cut out the Fluff - Any element in your security policy that is flashy or showy is probably of little substance, especially if it is easily fooled, bypassed, or ignored by threats. Eliminating the fluff stops you from wasting time, performing security tasks that have little benefit. If there is a real threat, keep the defense - if not, it's time to let it go.
9. Spend Money to Save Money - In the security world, spending money appropriately in the present can save money in the future. This philosophy works, because if there is a real threat and you failed to prevent it, it will likely cost more to repair the damage than it would have to set-up the proper defenses in the first place.
10. Use Public Resources - There is a wealth of knowledge and resources available online, and topics like computers, networking, and security are not excluded. Before you pay for consulting or troubleshooting, look at newsgroups, discussion forums, email lists, and blogs to make sure you can't find the same information for free.
Use these tips to help trim your IT security budget or prevent it from extreme growth in the future. It's all about making the right decision on the right products that provide the right security at the right cost.