Security is expensive, and many small-to-medium organizations struggle to deploy sufficient security defenses on a shoestring budget.
There are several techniques, methods, and tools that can help you reduce your security budget while maintaining or increasing your actual defenses. No security defense is perfect, and you often get what you pay for.
However, just because something is expensive does not mean it is great; likewise, just because something is cheap or free does not mean it is worthless. With my suggestions, you may be able to improve your security without breaking the IT budget.
Security is not an area of business operations that should be cut or trimmed just to save a few dollars. In fact, security is an essential element of an organization. Attempting to cut corners and take shortcuts in regards to security will often result in compromises that cost more to repair and restore than the protections sacrificed for the perceived “savings.”
Security should be as important to your organization as the facility where you work, the utilities needed to run the equipment, and the paychecks of your workers. Security should be seen as the last place for funding cuts, and then only when all other avenues have been exhausted, and without such cuts, the company might go under anyway.
Why do I make such a bold claim?
Mainly because as organizations become more and more information-focused, and as we increasingly rely upon networking and the internet, the threats to our IT infrastructure increase.
Today, anyone with basic computer skills (such as using a browser, installing software, and entering statements in to a command prompt) is able to perform very damaging attacks. Our IT networks face an ever growing threat from both exterior malicious entities, as well as our own internal personnel. These violations are often out of ignorance or negligence, but increasingly they are also out of malice or spite.
If there are already malicious people within the organization, and the company chooses to cut back on security, it will make their attacks easier, may make detection more difficult, and will cause the repair and recovery to be more expensive.
With a standing policy to not cut security in times of need, we need to establish cost-effective security as a standard practice. This should be a long-term goal. If this is not already your IT department's objective, there is no better time to start than now.
Ultimately, what you should strive to accomplish is the most reliable, preventative, and detective security system possible with the least amount of capital expenditure.
In the following sections, I explore several ideas regarding saving money on company security.
1) Maximize the Tools You Already Have
There is this notion in the security field that when you discover a new risk or threat, you have to purchase a new countermeasure in order to safeguard against the new problem. This notion itself reveals a key philosophy of security that is not always right.
Improving security is not always the addition of new layers of protection; instead, it can often mean the adjustment of components already deployed or even the removal of elements that are no longer essential to a business function.
Most security can be summed up with only a few key components, namely:
- Intrusion detection system (IDS)
Once these are appropriately addressed, there is often little need for significant additional or specialized components in most organizations.
Yes, there are likely good reasons why a business needs a special product due to some unique risk, but that is more often the exception rather than the rule. Many in security have fallen prey to the notion that buying something new is the way to fix or soothe over a problem. All too commonly, we have a sufficient security solution on hand if we just modify, tune, or configure it properly.
Before spending more of the security budget on new purchases, start by evaluating each new threat in light of how existing defenses could be adjusted to provide sufficient or adequate protections. Try not to purchase a new security tool until you have exhausted all your options with the existing technology already deployed in your infrastructure. Examples of this include crafting new firewall rules, configuring more restrictive authorization, or adjusting the focus of the auditing system.
2) Leverage Your Knowledge Base
If you finally determine that the only viable defense to a threat is a new product, don't be in a rush to purchase the least expensive or the most discounted.
There are many other important considerations for new countermeasures above and beyond the bottom line purchase price. One of these includes the knowledge base of your existing IT staff.
If your staff is already knowledgeable about a product, product line, or operating system, then it is often in your best interests to select a new product that will fall within their existing areas of expertise. This allows the security staff to become fully versed in the new product quicker, shorten the installation, tuning, and testing phases, and get your new defenses rolled-out quickly and with solid results.
On the other hand, if you select a product that is significantly different or unique from your existing product space or knowledge base of your staff, then there are many potential problems:
- The new product may not be compatible with your existing infrastructure. Incompatibility renders a product worthless no matter how expensive, high rated, or finely polished it might be.
- New technologies require time to learn and master. Your staff will need specialized training that will take additional time and expense. Additionally, this will also lengthen the installation, testing, and deployment phases. Furthermore, once deployed, any issues that arise requiring troubleshooting may take longer than normal, because many issues will be new and unique, once again stretching or exceeding the expertise of your staff.
If keeping within a budget is important during lean times as well as during prosperous times, always consider new purchases in light of leveraging existing knowledge and skill.
When a new product or solution is needed that’s outside of your team’s expertise, consider the total cost of ownership (e.g. original purchase price, training, deployment, production delays, etc.). While onboarding the solution may be worth it, it’s important to know how it’ll affect your budget.
3) Consider the Use of Open Source Solutions
While there are excellent security products available from major software and hardware vendors, you should also be aware of the explosive expansion of security products available from the open source community.
It is no longer a requirement that all products must be commercial, closed source, proprietary, or expensive. In fact, many organizations small to large benefit from open source solutions.
Open source is not the only solution, nor is it always the right one either. But it is often IT/IS managers who overlook open source options or at least fail to properly consider them.
When looking for a new solution to a security problem, especially before purchasing a new commercial product, IT leaders should explore the open source options. From operating systems to productivity suites, network services, security testing, or malware scanning, the open source community has many amazing products that often rival their commercial competition.
One issue often discussed is that open source does not always provide a formal legal entity to deal with when things go wrong. This is often a misplaced sentiment as it is more likely the issue that it is harder for an organization’s leadership to trust a loose group of individuals over an official company. Let me dispel this and a few other items.
First, commercial products are not necessarily secure, and open source is not necessarily insecure. Both sources of software need to be vetted and tested before deployed. Additionally, all software should be continually tested for stability and security after deployment. It may be the case that some open source vendors offer little technical support, but often the general online community serves as a viable option to obtain support and assistance. You may be able to find a discussion board hosted by the vendor or you can seek out a support group on sites like Facebook or Reddit.
Second, open source software is “free.” Open source software does not necessarily have a purchase price or licensing fee. However, even without the initial cost, open source will still cost something. For example, it will cost to train the administration staff and users, upkeep and upgrading costs time and money, hardware and utilities have a price. Even without a significant initial purchase price, some open source solutions may have the same lifetime cost as their commercial equivalents.
Third, never trust software. It doesn't matter whether a product is from a well-known commercial venture or a loose group of internet programmers, software is not to be trusted. Unless you wrote every line of code yourself, you have no guarantee that the code is secure, stable, functional, sufficient, efficient, or reliable.
IT teams must test all software from any source and evaluate it thoroughly before deployment. This includes security testing, penetration/vulnerability testing, performance testing, capability testing, and even fuzzing testing.
What’s fuzzing testing? Fuzzing testing is a form of test where input handling is stressed by all possible data sets to see how the system reacts to out of bounds, invalid, improper, and malicious forms of data.
After testing, the results should be evaluated, systems adjusted and corrected, and then tested again in a pilot partial rollout program. Then, at the successful conclusion of the pilot, a staged rollout to the rest of production should begin with lock-step evaluations along the way.
4) Re-Purpose Old Hardware
As your company expands, you will need new equipment. Or at least, you will perceive that you do.
In many cases, previous year's desktops or server computers can be re-purposed for a variety of uses. Assuming you've decided to give the open source solutions a try, most hardware manufactured in the last five years can be redeployed as highly functional client or server systems.
Primarily, these solutions are variations on the Linux platform. You can find an amazing variety of open source Linux builds that can take “obsolete” hardware and transform it into a powerful system serving as clients, file servers, routers, SAN/NAS servers, web servers, firewalls, and more.
Often, the hardware that will barely support the minimum functions of the latest version of Windows is more than capable of performing a variety of high-end tasks when a low-horsepower Linux build is employed.
Instead of spending thousands on new hardware, plus hundreds on a new operating system, re-using a recently discarded machine to run Linux can often provide more capabilities, features, and flexibility than a commercial solution. Try it yourself; you will be amazed what you can do with a used notebook, desktop client, or even an out-of-date server machine. However, always perform a security review to ensure that hardware reuse does not introduce other security issues, such as end-of-service-life (EOSL) firmware or compatibility with old hardware versus new software.
Some Helpful Tools
To use Linux as a NAS server, check out the FreeNAS product (www.freenas.org). To use Linux as a firewall, try out OPNSense (opnsense.org) or pfSense (www.pfsense.org). To use Linux as a router, try BSD Router Project (bsdrp.net). To discover other free Linux-based options, visit www.distrowatch.com.
5) Hire Interns Instead of Professionals
When it becomes time to increase staff, consider other options rather than exclusively hiring only fully-qualified, highly-experienced professionals. Instead, look into hiring interns or fresh-out-of-college workers who are looking to get started in an IT career.
Obviously, if you are filling a position that requires high levels of expertise or experience, you can't just hire anyone. However, you may be able to promote from within, then fill the lower vacant positions with new personnel eager to get started but who may need a bit of training and guidance.
Restricting your new hires to only highly qualified, pedigreed professionals will force you to pay higher salaries, even before you find out if they can do the job.
Additionally, such professionals can also mandate special bonuses or benefits, which further increases their overall cost to the organization.
Hiring inexperienced personnel will save on initial salary, bonuses, and benefits, but will likely cost a bit for proper training and the time it takes to get them up to speed. Over the entire employment time of such personnel, their overall expense to the company may be less than someone who was paid a high salary with benefits from the very beginning.
Plus, there is the added bonus of being able to train, tune, and guide the new staff member along the lines of company policy and culture. Early successes by a new talent employee will often encourage them to continue to learn and advance their knowledge and skill as well as increase their loyalty to the organization.
6) Review Your Policies
As mentioned earlier, most of the benefits of saving money on security comes from a long-term, consistent security management process rather than a reaction to dire times.
Another area where this notion applies is the organization's security policy. It should be a yearly activity to review the security policy. You may find that the policies themselves are prescribing processes or solutions that are overly expensive. You should evaluate each element of proscribed security as to its cost versus benefit and compare it with its actual expenditure.
You might discover that products selected last year have been surpassed by a competitor's solution that may not only work better, but may cost less. Additionally, you may find that by adding on components or options to one product, you can remove another. With a bit of cost comparison and performance evaluation, a review of company policies may find places that can be altered, stretched, or eliminated.
7) Reassess Your Threats
In addition to a regular review of your security policy, you should also perform a risk assessment on a yearly basis.
You should recall that the basic steps of risk assessment are: inventory assets, inventory threats, then evaluate risks and the cost-benefit of responses. By performing this process, you may be able to determine whether a risk identified in the past is still present or whether a new threat has appeared that needs to be addressed.
Since a security policy is dependent upon a thorough risk assessment, it should also be apparent that as the threats and risks change, so should the security policy. An obvious place to save money on security is to eliminate protections that are no longer required since the threat is no longer real or likely.
8) Cut Out the Fluff
All too commonly in today's world, security is performed like theater rather than being implemented for actual defense. Security for show is more often used to justify an expense based on the idea that money is only worth spending if the result is flashy, shiny, and visible. However, security is often most effective when it is either not seen or, at least, attention is not drawn to it on purpose.
Re-evaluate each component of your security policy and deployed security infrastructure. Any element which is showy or flashy is likely suspect of being of little substance. If the security product is easily fooled, bypassed, or ignored, then it is a solid candidate for disposal.
Another aspect of cutting out the fluff is to stop performing security tasks which have little to no real benefit. For example, if you require every person to be inspected by a security guard upon entering and leaving the building, but there is little evidence that anyone ever had or has any strong reason to smuggle data or objects in or out, then why are you wasting everyone's time. If there is a real threat of theft or espionage, then keep up the defense, but don't add-in unnecessary security just for show.
9) Spend Money to Save Money
When it comes to security, spending money properly now will save money later.
The logic is as follows: if there is a real threat and you fail to defend against it, when the risk is realized and loss occurs, the loss will often cost the organization more than the defense would have. Once you have identified real threats that are likely to occur, you will save money by implementing the proper security defenses.
Ignoring a threat or wishing that a threat did not exist does not prevent the loss from occurring, nor will it make the cost of recovery any less.
By not taking the appropriate action when risks are known and obvious, you are setting your organization up for future losses. The statement “an ounce of prevention is worth a pound of cure” is very apropos to security as it is for illness.
10) Use Public Resources
Deploying and maintaining security are often expensive business tasks. However, there are ways of keeping those costs under control, especially in the areas of configuration and troubleshooting.
The internet has made an astounding amount of knowledge available at one’s fingertips. Just about any topic, especially related to computers, networking, and security, is freely available for anyone to access.
The next time your staff needs access to specific information that is perceived to only be accessed through a paid consultant or pay-as-you-go technical support, look into free public resources.
From newsgroups to discussion forums to email lists to blogs, there is a growing community of professionals willing to discuss any topic and provide reliable guidance for free. It is important to ensure that you select free resources from credible, reliable, and trusted sources. Also, there are a wealth of no-cost open workshops and expert-led webinars that can be attended as well.
11) Consider Outsourcing
Not every single aspect of your company's IT or security has to be performed by your own staff.
There may be some circumstances where outsourcing to a service company, cloud service provider, or consulting group is less expensive than doing it yourself. From staffing and training to equipment and licensing, outsourced solutions can provide high-quality services at a lower price than you could provide for yourself.
Firewall services, anti-malware services, penetration testing, web hosting, DMZ/Extranet support, help desk, and others may be services you can find cheaper externally.
12) Evaluate Your Insurance Options
Another aspect of security that many IT professionals overlook is insurance. There are several forms of insurance that are relevant to the corporate IT infrastructure. Proper understanding of the options available, your organization's needs for coverage, and pricing options will help you make sound insurance decisions.
One area to evaluate is that of disaster or damage insurance, which will replace equipment damaged by various issues, such as fire, flood, earthquake, bomb and other scenarios. You need to perform a risk assessment on each threat to determine if the risk is serious enough to warrant insurance, and make sure the insurance is going to be cost effective. Also, be sure to obtain replacement insurance, not depreciated value insurance.
Another insurance to consider is that of hacker or malware insurance. Several insurance companies offer this type of specialized IT security insurance. However, be aware that insurance companies are not in the business to pay claims; they are in the business of collecting premiums.
One final area of insurance to consider is that of general or umbrella liability insurance. If a security breach could cause harm not just to your organization but also to distributors, resellers, suppliers, and clients, then this downstream liability leaves your organization responsible for paying for some of their losses as well. With general or umbrella liability insurance, most of those downstream claims will be paid by the insurance provider rather than out of your organization's own back pocket.
In any case, consult with a business liability attorney, professional business consultant, and several insurance agencies when making these types of insurance decisions.
13) Security is not just IT
One of the most overlooked aspects of security is that security is not just a computer issue. Security is a business issue.
Businesses need to see security as an essential part of their organization. This is important since any breach at any location throughout the organization can result in severe damage to the company as a whole as well as the IT infrastructure.
Security is a complete system with defenses, deterrents, and detection components for IT, as well as the facility and its personnel. Without a complete company-wide application of security, it will be ineffective.
By attempting to save money by only protecting the computers and the network, the result will not only be inadequate protections, it will also be wasted time and effort because the company is still at risk.
14) Security Cost is Not Just Purchase Price
The purchase price of a new security component is not the only factor that should be addressed when evaluating security costs. In fact, It’s often the purchase or licensing fee of a product is small in comparison to other costs of maintaining security over time.
You should take into consideration the expense of training administrators to install, configure, manage, maintain, and troubleshoot a product over its lifetime. And, as an administrator spends time on one product or system, they are not spending time on another. This is a form of opportunity cost that must be evaluated.
Next, workers will need to be trained on using the product or at least working within the confines the security product places on them. Otherwise, new security solutions could result in some form of reduced or lost productivity Plus, whenever the security product interferes with their work due to a failure, misconfiguration, or another issue, the downtime must be estimated and the help desk and tech support costs should be considered. Properly training end users,
IT staff, and InfoSec workers so they have strong knowledge and practical use of available tools will create a more efficient and effective security solution that often is more cost effective in the long run.
Additionally, security products may require supporting hardware or software; require regular maintenance, updates, or upgrades; and consume electricity and storage space, computation cycles, and memory. As these resources are consumed or used by the security solutions, they are not available for use by the productivity systems and solutions.
These are just some of the costs of security that are often overlooked or at least not fully evaluated. Thus, proper long-term evaluation is needed to select the most effective but least life-costly security product. This is likely one of the best ways to save money on security.
15) Improve Security While Reducing Costs with Training
Yet another way to stretch your IT and security budget is to spend it wisely on training. By improving the knowledge and skill base of your existing staff, you directly improve your organization's internal ability to handle its own security issues. You can see exactly how beneficial proper training is to your organization by reviewing the 2020 IT Skills and Salary Report produced by Global Knowledge. In fact, you can see the long-term effects of skill and knowledge training by reviewing the yearly reports since 2008.
As you train existing staff, they can move up the position hierarchy, vacating lower job positions to be filled by new, fresh employees eager to learn. When your own employees from administrators to managers to help desk to individual workers are more knowledgeable about their assigned work tasks, computers and networking in general, and in regards to IT security, your organization directly benefits. Those benefits include being able to re-use existing equipment more efficiently, being able to properly tune and manage the environment, preventing external consulting or technical support, reducing the need for more staff, and more.
Security is expensive. But not having security is even more expensive. Preventing damage from malicious attackers, stopping the infestation of malware, and preventing theft and fraud is not cheap. But failing to erect adequate protections for your organization's level of known threats is not a cost-saving measure, it is simply a deferment of the cost until a later date. Often, that date arrives sooner than expected and the bill is much higher than imagined.
Saving money on security is about making sound decisions on the right products that provide the best security for their cost. One of the best cost-saving decisions you can make for your organization is to invest in training and selecting the right training for your organization’s specific needs. Global Knowledge provides a wide range of training classes on a plethora of topics and via a wide range of media. This include free documentation, public blog, articles and papers, no-cost webinars, low-cost remote training, and high-value hands-on in-person instruction. Please review the current course catalog online or contact a GK representative to inquire about options and opportunities.
- CISSP Certification Prep Course
- Security+ Certification Prep Course
- Certified Network Defender (CND) Certification Prep Course
- CEH Certification Prep Course
- CHFI Certification Prep Course
- CySA+ Certification Prep Course
- CASP+ Certification Prep Course
- CISM Certification Prep Course
About the Author
James Michael Stewart has been working with computers and technology for over 30 years. His work focuses on security, certification, and various operating systems. Recently, Michael has been teaching job skill and certification courses for over 25 years, such as CISSP, ethical hacking/penetration testing, computer forensics, and Security+. He has taught hundreds of classes accumulating over 20,000 hours of instruction. He is the author of and contributor to more than 80 books on security and certifications. His most recent publications include the CISSP Study Guide 9th Edition and Security+ Review Guide 5th Edition (SY0-601). Michael has also contributed to many other security focused materials including exam preparation guides, practice exams, video instruction, and courseware. He has developed certification courseware and training materials as well as presented these materials in the classroom. Michael holds variety of certifications, including: CEH, CHFI, ECSA, ECIH, CND, CEI, CASP+, CySA+, PenTest+, Security+, Network+, A+, CTT+, CISSP, CISM, and CFR. Michael graduated in 1992 from the University of Texas at Austin with a bachelor's degree in Philosophy. Despite his degree, his computer knowledge is self-acquired, based on seat-of-the-pants hands-on "street smarts" experience. Michael is an independent contractor (i.e., a cybersecurity mercenary) who is available to provide training for your personnel or for the crafting of custom content. You can reach Michael by e-mail at firstname.lastname@example.org or visiting impactonline.com.