Arsgera - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Should security funds be dedicated to hiring or tools?

Security funds can be tough to come by, so when managers get them should they focus on strengthening security through hiring or through purchasing tools?

As chief information security officer (CISO), it's my job to present the highest priority needs of the security team to other c-levels and fight for the appropriate budget. Unfortunately, I often have to choose between advocating for funds for either more security hiring, or for better security products/tools. Which will be more effective in strengthening the organization's security?

It is a challenge to work harder with fewer security funds and as a CISO it is your job to balance difficult circumstances. Choosing between security funds for hiring or for tools is situational. The CISO needs to evaluate and gauge his resources. If the staff is talented, the CISO should build up their skill set needed to accomplish the proper protection of critical assets. The skills required to implement better security products require educated personnel. Perform security assessments to identify key vulnerabilities and report on risk factors that can harm the enterprise if not properly addressed. Use an established industry security framework to implement the information security program. If the organization is not up to security standards, demonstrate to executive management the need for additional resources.

One drawback in upgrading technologies that many organizations overlook is the time it takes to develop proficiency. Learning and understanding the product features takes time. Unfortunately, this means security staff will not perform normal job duties during the transition phase.

If you do not believe you have the right staff to accomplish your mission then help educate them further. Or if they are not well suited for the job, perhaps suggest they transfer to another position.

It is important to not manage your staff, but to manage the information security program. Lead by example and allow your passion for information security to flow into your staff. Over time, this will have a positive effect on key business units, IT and executive management. Don't complain about lack of resources; embrace it and demonstrate how to work successfully without it.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn why nontraditional employee recruitment may remedy security hiring woes and find out if your security spending is in line with the actual risks

Find out why hiring millennials is key to reducing security workforce shortage

This was last published in October 2015

Dig Deeper on Information security program management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you dedicate security funds more to hiring or tools? Why?
This is a simple one, that people insist on making difficult.  To be blunt: Hire Talent.  In Security, the best and main tool is the one between your ears.  The fanciest toy is worthless in the hands of a fool.  I've seen people with a Kali laptop, accomplish wonders.  Because, they could THINK.  They outwit.  They are proactive, not floundering around waiting for a tool to give them an answer.  When I have been in the project chair, I always bet on people first.
As with most things in life, there is not a simple answer to this question.

The ever evolving threat landscape demands they we deploy proven tool sets, but this has to be coupled with alert competent personnel.

Raising the discussion up notch, there needs to be more pressure on the vendors of our industry to raise their game. We are still looking for the killer security app, the killer security appliance, the next great thing to keep us safe - but we are consistently disappointed.

In reality, if the bad guys want in, it will be extremely difficult in keeping them out. This is not in and of itself a technical issue but more so a moral/social issue.
A balance between the two is ideal, but hiring is more important. Tools can really only help so much. You need someone who knows what they're doing to interpret the results, and tools are absolutely pointless if they identify issues but there are no resources to spend time fixing those issues.