Security Tool Rationalization: A Powerful Way to Elevate Security Hygiene Amid Budget Constraints

By James Turgal


Cybersecurity Technology Online Article

The cybersecurity industry is facing a challenge it hasn’t seen in years: intense financial scrutiny. Until recently, the industry has seemed invincible, with cybersecurity companies regularly benefiting from seemingly free-flowing investor funding and organizations maintaining the luxury of allocating ample budget to building large security teams and iron-clad programs. Today, however, amid inflation, rising interest rates, and an uncertain economy, the industry is experiencing a collective return to reality, with investors pulling back and companies executing layoffs and budget cuts to turn a profit.

Industry finances are slowing, but it doesn’t mean that the same holds true for cybercriminals. In fact, it’s quite the opposite. Threat actors listen to media reports and they track what companies are going through tech layoffs, and that type of data can drive their targeting decisions. They are executing more sophisticated attacks at a faster pace than ever before. And, as we enter the 2024 budgeting season, this leaves many security teams staring down a seemingly impossible order: bolster the company’s security posture to defend against today’s complex threats while working with stagnant or reduced budgets.

Do More With Less Through Security Tool Rationalization

While it may seem like the only way to improve security and resilience in a growing threat landscape is to have a budget increase alongside it, the reality is that companies can achieve consistent—and sometimes even greater—results by focusing on security tool efficiency rather than spend.

Many organizations continue to take a reactionary approach to cybersecurity, where they throw money at the newest technology claiming to protect against the latest threat vector. This approach only results in complex information technology security infrastructures composed of myriad point solutions all working in isolation. In fact, the average mid-enterprise organization has between 70 and 90 technologies in their environment and leaving them unmanaged not only diminishes their value but also can introduce risk rather than mitigate it.

To achieve true cyber resilience, organizations need a holistic and integrated security ecosystem. This means organizations that have previously allowed the threat landscape to dictate cybersecurity spend have a tremendous opportunity to shift their strategies to focus on improving, integrating, and optimizing their current security infrastructure. And there’s no better way to do this than by maximizing the effectiveness of their existing tool stacks. Often referred to as security tool rationalization, it’s an impactful way to buy down systemic risk and build resilience and it can be done within the confines of a strained budget.

The foundation of rationalization is assessing existing infrastructure and improving visibility into the current security tool stack to do the following:

  • Ensure solutions still meet the business and security needs of the organization
  • Identify and remove technology waste in cases where tools are no longer meeting business and security needs
  • Identify gaps in coverage and tool redundancies
  • Unlock additional tool capabilities and software licenses that aren’t being utilized in existing solutions
  • Find opportunities for interoperability and integration

With this newfound visibility and understanding, organizations can simplify the security stack while improving coverage, raising security hygiene, and making security teams more efficient. From a financial perspective, rationalization can result in lower costs and an improved return on investment over time. There’s arguably no better way than rationalization to do more with less and make a big impact despite budget and resource constraints.

Continuous Optimization Through Rationalization

Because security threats and business needs change all the time, even organizations that have a strong, integrated security ecosystem need to optimize frequently, and security tool rationalization is an impactful way to do this. Here are a few best practices that boards can discuss with management to achieve continuous optimization through rationalization:

  • Conduct rationalization assessments on a periodic basis, as they should not be a one-and-done deal
  • Reevaluate tools and applications 6-to-12 months before license expiration to assess whether business use cases have changed, if it still makes sense to stay with the incumbent vendor, if price increases are expected, etc.
  • Meet with security tool vendors at least twice a year to stay up to date on the latest capabilities and product releases, so you can maximize tool efficiency, reduce vendor sprawl, and avoid unnecessary purchases (e.g., buying a new tool to obtain a capability available in an existing solution)

Security and business needs change fast, and rationalization will ensure security tools and strategies adapt right alongside them.

Making Rationalization a Standard Practice

In an economic climate where every penny counts, rationalization can help security teams get maximum value from their existing technology investments. This is especially critical today, as cybercriminals will no doubt exploit the turbulent economy and prey on companies that get lax on security as a result. Knowing what security tools you have, whether they’re deployed correctly, integrated, and being fully used can help you maintain a strong cybersecurity posture in the face of financial constraints.

Most importantly, for rationalization to have the greatest impact on your organization, it needs to become a daily activity—not viewed as a one-time project to hit a budget goal. When the rationalization methodology becomes a regular practice, security programs will become more agile to meet the business needs of the company. This will go a long way in shifting leaders’ perception of security as a cost driver to security as a business enabler—a mind-set change that can help tip the scales in cybersecurity’s favor when budget cuts are in question.

Optiv is an NACD partner, providing directors with critical and timely information, and perspectives. Optiv is a financial supporter of the NACD.

James Turgal
James Turgal is the vice president of cyber risk, strategy, and board relations at Optiv.