Tips for Controlling the Costs of Security Tools
In the view of the typical business, paying the cost of security tools is a necessary evil. Even at organizations where business leaders recognize the importance of investing in security as a means of preventing costly breaches, security tools and operations tend to be viewed as a cost center.
But that doesn’t mean security tools have to bloat your budget. By being strategic about how you select tools, and taking steps to avoid cost inefficiencies in your security tool set, you can enable effective security operations without unreasonable costs.
That’s the topic I’d like to tackle in this article. Drawing on my experience in helping to manage security for a company that specializes in cloud cost optimization (where cost-effectiveness is always a priority), I offer suggestions below for reining in security tool spending without compromising on features and capabilities.
The Importance of Managing Security Tool Costs
The total amount that a business spends on security tools can vary widely depending on factors like which types of tools it deploys, the number of users or systems the tools support and the pricing plans of tool vendors. But on the whole, it’s fair to say that tool expenditures are a significant component of most business budgets.
Moody’s found, for example, that companies devote about 8% of their total budget to security. That figure includes personnel costs as well as tool costs, but it provides a sense of just how high security spending tends to be relative to overall business expenses.
These costs are likely only to grow. IDC believes that total security budgets will increase by more than a third over the next few years, due in part to rising tool costs. This means that finding ways to rein in spending on security tools is important not just for reducing overall costs today, but also preventing cost overruns in the future.
Of course, reducing spending can’t amount simply to abandoning critical tools or turning off important features. With the average cost of a data breach now amounting to more than $4 million, investing in tools that can detect and mitigate risks is critical. But businesses should strive to do this without flushing money down the drain due to inefficient security tool spending.
To provide guidance on squaring that circle, here’s a look at the practices I’ve found to be successful in reducing security tool spending without sacrificing key features. (For more information, refer to these best practices for managing security tool costs.)
1. Collaborate With Security Tool Users
If you’re a security leader tasked with selecting tools, collaborating with the people who will actually be using the tools — such as software developers in need of application scanning and testing solutions — is critical for a couple of reasons.
One is that it’s important to purchase tools that maximize employee productivity and experience. You don’t want to foist solutions upon your developers that they don’t want to use, because doing so will reduce the value those tools bring.
Second and more important, communication is critical for ensuring that your teams haven’t already deployed their own security tools without official permission. If they have, not only do you have shadow IT lurking in your IT environment, but your business is also paying for tools that you didn’t even know you had purchased.
2. Collaborate With System Architects
Along similar lines, collaborating with system architects — meaning engineers responsible for planning IT architectures, systems and integrations — helps to control tool costs. Working with these stakeholders, you can find ways to maximize the coverage that tools provide, leading in many cases to more cost-effective solutions.
For instance, if you can design a cloud architecture that allows you to use the same security tool across multiple clouds, your overall costs are likely to be lower than they’d be if you had to purchase separate tools for each cloud, thanks to volume discounts offered by tool vendors. The administrative cost associated with deploying and managing the solution will be lower, too, since you only have one tool to work with.
3. Inventory Your Security Tools
Creating an inventory of the security tools that are in use within your company is important for identifying instances of shadow IT that may arise when teams deploy security tools without permission.
In addition, an inventory can help identify duplicate tool use. You may find, for example, that different departments have deployed different tools of the same type, and that consolidating them into a single solution will save money.
4. Consider Strategic Use of AI
As you know unless you’ve lived in a bunker for the past two years, generative AI has opened a host of opportunities in the realm of security and far beyond. Taking advantage of AI security tools — such as those that can automatically summarize security alerts or provide remediation guidance for fixing insecure code — can help reduce the time (and, by extension, the money) your business spends on security operations. That’s a bit different from reducing the cost of tools themselves, but it still saves money.
To be clear, I’m not suggesting that AI alone can solve every security woe or slash your costs in a huge way. AI makes mistakes, and its value is limited, especially in contexts like security where tolerance for mistakes is very small. Still, strategic use of AI-enabled security tools can reduce security costs significantly.
5. Do the Math on Building vs. Buying
You may sometimes believe that developing your own security tools is cheaper than purchasing a third-party solution — and it is, in some cases.
However, whether building is actually more cost-effective than buying depends not just on the expense of tool development versus the licensing cost of a third-party tool. It also hinges crucially on the cost of managing and supporting the tools you build yourself — and there are a lot of hidden costs that may make building much more expensive than it seems.
For instance, if you develop a solution in house and need to certify for compliance reasons that it aligns with a certain security framework, obtaining the certification could require hundreds of hours of engineers’ time. You may also have to pay for ongoing audits. This is a cost that is easy to overlook, but can be quite significant.
The bottom line here is that it’s important to complete a full assessment of your total costs when considering building a security tool instead of buying one. Building can be more cost-effective, but that’s certainly not always the case.
Conclusion: Maximizing Security While Minimizing Cost
Instead of assuming that the more you spend on security tools, the more secure your business is, take the time to step back and determine which tools you’re using and what they cost. You may find that you’re paying for tools or features you don’t need — or that you could obtain the same tools at a lower total cost through measures like tool consolidation and integration. The end result is the same security posture, but at a lower cost to the business.
