Cybersecurity spending is skyrocketing and both products and services keep raising prices, but are you getting the most value from every dollar? Midsize organizations in particular face the challenge of ensuring robust security while balancing budgets, and the key lies in optimizing your existing controls, not simply adding new solutions.
In this article, we’ll explore how a detailed gap analysis of your cybersecurity toolkit can reveal gaps, inefficiencies, and redundancies, helping you maximize your 2025 return on investment (ROI) and ensure you’re not overpaying for unnecessary protections.
Jump to:
Cybersecurity Spending is Out of Control
Cybersecurity Spending Trends:
Cybersecurity spending is often a major portion of IT budgets, especially within midsize organizations, but many businesses are still vulnerable to breaches despite heavy investments.
In fact, in 2023, 79% of security leaders were surprised by a security incident evading a control they believed would stop it (source: Panaseer).
Yet, most security leaders are planning an increase in cybersecurity budgets across the board going into 2025.
A particularly notable budgetary increase is dedicated to cloud security and on-premises security tools. The question is, does simply adding more security tools actually make an organization more secure in practical terms?
Panaseer, for example, determined that a toolkit of 75 or even 100 solutions was not an uncommon scenario in midsize and larger organizations. Despite what we'd like to believe as security professionals, by now, organizations typically own the required tooling and have implemented the controls to prevent most breaches and incidents, but these resources are often incorrectly managed, leading to gaps in controls coverage and effectiveness.
The Problem of Overinvestment:
Purchasing more security tools isn’t always the answer and can result in overpaying for redundant or underperforming solutions, particularly in legacy, hybrid, or other types of complex environments. And we seem to know it too:
82% of security leaders agree that monitoring and addressing failure of existing controls (vs. buying more tools) would have the bigger impact on the organization's security posture
Further affirming this trend, increasing operational efficiencies and productivity recently moved up to the top enterprise priority for CISOs, taking the place of Reducing Risk, which took a temporary backseat. Optimizing or Reducing Costs and increasing revenue were in the Top 5 enterprise for security leaders as well (source: Evanta).
With the abundance of tools, services, and controls of just about any type and price point, understanding what’s truly needed vs. what's being “sold” as necessary by vendors is becoming a real challenge.
Identifying Gaps, Overlaps, and Inefficiencies in Your Cybersecurity Program
So, how to disentangle hype and FOMO from practical considerations and strategies toward achieving robust, ROI-efficient security?
At ORNA, we take a trademark VICO approach, focusing on Visibility, Insights, Control, and Outcomes instead of chasing trends or embracing fear, uncertainty, and doubt.
Here's how you can get started.
Understand and Map Gaps:
Define what your cybersecurity gaps are (i.e., missing controls or solutions) and how they expose your organization to risks. There are many ways to approach this - you can look at the gaps from the perspective or particular attack vectors or threat scenarios, attack surface coverage, risk and compliance items, and so on.
Common gaps we've seen in both North American and European organizations include inadequate or legacy monitoring (resulting in incomplete coverage of various types of assets, including data and ICS/OT Crown Jewels in particular), outdated threat detection tools (inability to detect or contain increasingly complex modern-day threats), lack of hands-on staff training (drastically decreasing the effectiveness of incident and breach response measures, in particular), access and permissions overprovisioning (enabling attacks relying on exploiting the lack of, or misconfigurations of, IAM, SSE/ZT controls) and more.
Risk and priority-score these gaps in terms of impact using a well-known internal or external framework.
Spot Overlaps:
As a sort of an opposite issue to controls gaps, overlapping cybersecurity tools and technologies often lead to wasted resources (e.g., multiple endpoint detection and response (EDR/XDR) solutions that don’t offer distinct value) and cause overspending, bloating your budget unnecessarily while adding more moving pieces to what likely is an already complex ecosystem. Unused licenses in these tools exacerbate the issue.
Auditing your toolkit and mapping distinct value, features, and the functionalities of each will help streamline tools and consolidate control while saving money and retaining your security capabilities. We've seen this tactic result in annual spending reduction of up to as much as 38% in some of our recent projects, and 28% on average.
Assess Performance:
Unless you've done this already, start measuring meaningful performance metrics within your cybersecurity tools and your cybersecurity program overall. This is a topic for a separate article, as the metrics can vary wildly depending on your industry sector, geography, infrastructure, the types of solutions deployed, management mandates, compliance requirements, and much more, and include true and false positive within EDR/XDR toolkits; Mean Times to Detect/Respond/Contain (MTTD, MTTR, and MTTC respectively); compliance status by framework; controls effectiveness by process; various user access control metrics; risk-scored vulnerabilities within key assets, and the time it takes to address them; and many more.
Assess what consolidating, tweaking, or outright removing various controls would have on these metrics. Some of the findings might surprise you.
Tools that don’t perform as expected, as well as overlapping solutions, can drain resources without providing meaningful security posture improvements. Don't discount the impact that managing dozens of extra security tools has on the morale and motivation levels of your likely already overstretched team. Last year, 78% and 77% of security professionals reported burning out and overworking, as well as tools and data frustration respectively as their primary reasons for resignation (source: Panaseer).
Finally, track and evaluate performance continuously, adapting to the changes within your organization, your vendors, and the threat landscape overall.
Closing Thoughts and Next Steps
Throwing more tools at the problem is tempting, particularly as both the industry, and the threats become more difficult to navigate.
Stay tuned for the next post in this series - we'll talk about gap assessments in depth and cover specific steps of conducting a comprehensive security audit, prioritization based on risk and impact, consolidation and optimization of your tools coverage and security spending, and even approaches to automated continuous controls monitoring and improvement.
Like our stuff? Subscribe here!
Yours truly,
The ORNA team
Comments