A New SANS Survey Can Help You Spend Smarter on Security

Security is top of mind for organizations worldwide—and for good reason: 2015 alone saw 781 individual data‐breach incidents, the second‐highest number since 2005.

To find out how organizations are spending on security, Gigamon commissioned a survey from the SANS Institute, a global provider of professional training and certification for government and commercial institutions.

What did they find? Organizations are spending a lot on security. But are they spending smart?

Check out IT Security Spending Trends (and watch the SANS 2016 IT Security Spending Strategies Survey on‐demand webinar) to gain critical insights into security‐spending trends, as well as helpful advice on how to spend smart and stay safe in 2016.

To start, here’s a sneak peek at some of the findings:

  • Overall IT budgets won’t change much, but more money will be allocated to security.
  • What are the two most significant business drivers behind security spending? Protecting sensitive information and regulatory compliance.
  • The largest new spending category in 2016 will be staff training and certification. Of particular interest is application security, compliance, and data security.
  • Only 23% choose to track security as its own cost center, which can make it more difficult to estimate the total amount of expenditures related to security.

Now let’s take a look at some real‐world advice straight from survey respondents.

Tools—no matter how revolutionary—are pointless if people lack the skills to use them

Survey findings showed that organizations put a strong emphasis on in‐house staff, with the largest spending category centering on finding skilled employees, particularly in compliance, application security, and data security.

SANS Survey_Figure 4 Skills Being Sought

Figure 1: Security tools require skilled employees to work them, so don’t cut costs when it comes to hiring. (Source: “IT Security Spending Trends.” p 9. SANS. February 2016.)

Frankly, tools alone won’t bolster your security posture, warn respondents. You need capable, well‐trained people to run them. So, before you spend a dime on tools, ramp up your recruiting efforts, hire the right people, and invest in skilled staff first. Once you do, you’ll be able to maximize the ROI of any tool you adopt.

Budget approval relies on more than just past successes

According to survey respondents, in order to gain approvals for security spending, you have to prove that that the expense will better enable your organization to meet its business objectives.

Spending [that] is controlled more from a compliance perspective than a risk and threats perspective [results] in ineffective security.


However, survey respondents said that while compliance is a key component of convincing the powers that be to open their minds—and wallets—to security spending, you can’t focus specifically on compliance. Instead, respondents advise you to profile the risks and threats that could adversely affect your organization across the board, and show how any spending will protect the business—and the bottom line.

Align security spending with the organization’s mission and goals

How pervasive is the idea that security spending must align with business objectives? Very: 78% of survey respondents align spending with their overall business objectives.

Understand your company’s mission and purpose and then tie your security purchases into supporting that securely.


You can’t prepare a budget proposal or request new security tools and staff if you don’t fully understand the goals and mission of your organization. According to respondents, to obtain approval, you must be able to connect all security spending to the organization’s strategic plan and show how security purchases reinforce the organization’s mission.

SANS Survey_Table 10

Figure 2: Regulatory compliance isn’t the only card you have in your deck when it comes to securing security budget approvals. (Source: “IT Security Spending Trends.” p 15. SANS. February 2016.)

Think long‐term and organization‐wide

What’s your best bet for gaining support for new security measures? According to the report’s findings, it’s all about educating the people with the power to approve budgets. It starts by showing them how security spending allows the organization to meet high‐level business goals.

It’s hard to leverage the differences in ‘what is important’ when you’re sitting in the IT meeting space versus the executive boardroom and operations offices. What’s visibly important to one team (InfoSec) usually isn’t on the radar of the Operations team …


However, you can’t stop with the benefits to IT. You need to explain how security spending can provide value and benefit across the entire organization.

Respondents recommend that you create a well‐thought‐out plan, with visuals and all, that answers the who, what, why, where, and how questions for your organization’s leaders. Leave no doubt that the security spending will support the organization’s business objectives in a consistent, continuous, and repeatable manner.

Want more?

Don’t forget to access the on‐demand SANS 2016 IT Security Spending Strategies Survey webinar to hear SANS analysts Barbara Filkins and G. Mark Hardy share their views on the survey results. You’ll also receive access to the published results paper developed by Filkins. And check out the full survey here.

Comments are currently closed.