Every security initiative comes with a different set of tools, costs, and benefits. Some tools are relatively easy to implement and bring a straightforward cost benefit analysis. IPS devices and endpoint management tools, which still take some planning, are relatively easy to incorporate. Other tools, however, while simple to install, take time to plan for, configure, and populate. SIEM systems need to be integrated with other security tools and populated with log and flow sources. They need to be tuned for efficiency and relevance. But even those tools have a straightforward integration plan.
What about systems that need up front investment in planning that would require substantial planning time and architecture design? One example would be identity management. Identity management requires a design informed by personnel practices, IT practices, and business processes. It requires not only population of identities in the system, but management responsibilities and access within that system. That takes time to design and time to implement, which means more upfront investment. In the face of budget restrictions, organizations often fold just thinking about upfront investment. Give them some Active Directory or LDAP and just let them muddle through.
But investments like identity management play huge dividends. They can reduce management time of IT and HR identities by 80%. They bring security in the form of insider threat monitoring and efficiencies in the way of onboarding and offboarding employees. If you can free up an entire full time employee and have an up to date, accurate identity profile, why quibble over a few thousand dollars and a few planning meetings?
Many organizations fear up front costs because they don’t examine the long term savings they will capture. These savings aren’t theoretical, they are concrete. What’s more, they aren’t taking time to analyze how their risk is reduced and security increased. The biggest security gap around is being penny wise and pound foolish.