Q
Manage Learn to apply best practices and optimize your operations.

What is the best way to trim a security portfolio?

Trimming down a security portfolio and budget is a struggle for many security professionals. Here's how to trim security portfolios without affecting security.

A discussion at RSA Conference 2015 showed that CISOs and security administrators agree that security portfolios...

need to be pared down, but there is still a lot of confusion over how to do this and what exactly needs to be trimmed from a security portfolio and budget. What advice do you have for going about this process, and which executives, managers and/or administrators should be part of it?

At a roundtable discussion at the 2015 RSA Conference (RSAC), nearly every CISO and security administrator raised their hand when asked if they could trim their security budget. When asked what could be cut from their security portfolios, the answers were less sanguine. This is seemingly in contrast to the State of Cybersecurity: Implications for 2015 survey conducted by ISACA and RSA at the same RSAC event. The survey showed 56% of 845 respondents stated their security budget would increase in 2015. In reality, most information security groups can take reduction measures without negatively impacting the existing services.

The roundtable discussion identified several ways to trim the information security budget, including:

  • Reduce shelfware by eliminating products that were never used;
  • Reduce vendor management by outsourcing;
  • Eliminate security tools that have redundant features;
  • Eliminate "forgotten" tools by building an inventory of technologies and features;
  • Customize single multifunction tools rather than multiple tools with single functions;
  • Ensure security tools have a business justification in addition to security justification.

If the trend stated in the State of Cybersecurity survey is that the information security budget will increase in upcoming years, it will be easy to get rid of tools without impacting the existing important services in the security portfolio. Although it wasn't stated, reducing vendor management by outsourcing could result in possible reduction in staff. This would mean substantial savings in the budget, but might not be the ideal choice for those affected.

Trimming the cybersecurity budget doesn't need to appear desultory. Plan accordingly and be ready to report your thoughts on what and why tools, functions and staff can be eliminated.

Here are some tips to help accomplish your budget goals and keep your security portfolio at the desired level:

  • Identify tools that can be eliminated, combined or replaced based on the suggestions from the RSAC roundtable discussion;
  • Perform a total cost of ownership (TCO) on products that will provide additional functionality and productivity in the information security program and staff;
  • Take inventory of staff skills that can be eliminated and factor in the skills required to support any additional tools acquired;
  • Develop, and present to executive management, a comprehensive and easy to understand report on a realistic security budget for the next fiscal year;
  • Ultimately this will let executive management know that, although trimming is appropriate, increasing the information security budget is just as cost-effective.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn some tricks to getting more in the security budget from your CEO.

Check out how to cope with a limited security budget.

Learn how open source security tools can help stretch a tight budget.

This was last published in December 2015

Dig Deeper on Security vendor mergers and acquisitions

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think should be trimmed from security portfolios?
Cancel
Create a solid risk based security architecture based on SABSA principles. Manage compensating controls. Define the important data. Buy next gen firewalls. Use freeware where possible. Deploy unified security systems. Enhance training to reduce incidents.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close