Arsgera - Fotolia

Should security funds be dedicated to hiring or tools?

Security funds can be tough to come by, so when managers get them should they focus on strengthening security through hiring or through purchasing tools?

As chief information security officer (CISO), it's my job to present the highest priority needs of the security team to other c-levels and fight for the appropriate budget. Unfortunately, I often have to choose between advocating for funds for either more security hiring, or for better security products/tools. Which will be more effective in strengthening the organization's security?

It is a challenge to work harder with fewer security funds and as a CISO it is your job to balance difficult circumstances. Choosing between security funds for hiring or for tools is situational. The CISO needs to evaluate and gauge his resources. If the staff is talented, the CISO should build up their skill set needed to accomplish the proper protection of critical assets. The skills required to implement better security products require educated personnel. Perform security assessments to identify key vulnerabilities and report on risk factors that can harm the enterprise if not properly addressed. Use an established industry security framework to implement the information security program. If the organization is not up to security standards, demonstrate to executive management the need for additional resources.

One drawback in upgrading technologies that many organizations overlook is the time it takes to develop proficiency. Learning and understanding the product features takes time. Unfortunately, this means security staff will not perform normal job duties during the transition phase.

If you do not believe you have the right staff to accomplish your mission then help educate them further. Or if they are not well suited for the job, perhaps suggest they transfer to another position.

It is important to not manage your staff, but to manage the information security program. Lead by example and allow your passion for information security to flow into your staff. Over time, this will have a positive effect on key business units, IT and executive management. Don't complain about lack of resources; embrace it and demonstrate how to work successfully without it.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn why nontraditional employee recruitment may remedy security hiring woes and find out if your security spending is in line with the actual risks

Find out why hiring millennials is key to reducing security workforce shortage

Dig Deeper on Security operations and management