Ronald Hudson - Fotolia

What is the best way to trim a security portfolio?

Trimming down a security portfolio and budget is a struggle for many security professionals. Here's how to trim security portfolios without affecting security.

A discussion at RSA Conference 2015 showed that CISOs and security administrators agree that security portfolios need to be pared down, but there is still a lot of confusion over how to do this and what exactly needs to be trimmed from a security portfolio and budget. What advice do you have for going about this process, and which executives, managers and/or administrators should be part of it?

At a roundtable discussion at the 2015 RSA Conference (RSAC), nearly every CISO and security administrator raised their hand when asked if they could trim their security budget. When asked what could be cut from their security portfolios, the answers were less sanguine. This is seemingly in contrast to the State of Cybersecurity: Implications for 2015 survey conducted by ISACA and RSA at the same RSAC event. The survey showed 56% of 845 respondents stated their security budget would increase in 2015. In reality, most information security groups can take reduction measures without negatively impacting the existing services.

The roundtable discussion identified several ways to trim the information security budget, including:

  • Reduce shelfware by eliminating products that were never used;
  • Reduce vendor management by outsourcing;
  • Eliminate security tools that have redundant features;
  • Eliminate "forgotten" tools by building an inventory of technologies and features;
  • Customize single multifunction tools rather than multiple tools with single functions;
  • Ensure security tools have a business justification in addition to security justification.

If the trend stated in the State of Cybersecurity survey is that the information security budget will increase in upcoming years, it will be easy to get rid of tools without impacting the existing important services in the security portfolio. Although it wasn't stated, reducing vendor management by outsourcing could result in possible reduction in staff. This would mean substantial savings in the budget, but might not be the ideal choice for those affected.

Trimming the cybersecurity budget doesn't need to appear desultory. Plan accordingly and be ready to report your thoughts on what and why tools, functions and staff can be eliminated.

Here are some tips to help accomplish your budget goals and keep your security portfolio at the desired level:

  • Identify tools that can be eliminated, combined or replaced based on the suggestions from the RSAC roundtable discussion;
  • Perform a total cost of ownership (TCO) on products that will provide additional functionality and productivity in the information security program and staff;
  • Take inventory of staff skills that can be eliminated and factor in the skills required to support any additional tools acquired;
  • Develop, and present to executive management, a comprehensive and easy to understand report on a realistic security budget for the next fiscal year;
  • Ultimately this will let executive management know that, although trimming is appropriate, increasing the information security budget is just as cost-effective.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn some tricks to getting more in the security budget from your CEO.

Check out how to cope with a limited security budget.

Learn how open source security tools can help stretch a tight budget.

This was last published in December 2015

Dig Deeper on Security vendor mergers and acquisitions