Last updated at Thu, 11 Jan 2018 15:17:36 GMT

You’ve found a new security product — one that promises to enhance your job, make you more efficient, and save time and money for the organization. You think it will make a great addition to your current arsenal of security tools. Other security professionals recommend it, too. But one problem: you don’t control the budget. So how do you go about getting buy-in for a new security product?

In this post, we’ll offer a framework and the exact questions you should be prepared to answer to make this process much less painful (and hopefully more fruitful).

1. Understand Timing

Timing is everything when you’re trying to get approval to purchase a new product. To start, find out when the budget planning occurs (typically this happens during the last few months of the year) and when the budget renews. Knowing that, you can plan in advance when to begin pitching it so that you have the best chance of getting it approved in the next year’s budget.

But often budgets can be massaged and reallocated according to organizational priorities, such as a new threat or vulnerability the company is facing. Pay close attention to what’s happening across your organization so that when the need for a new security product becomes apparent, you can be ready.

For example, if your company was hit by a denial of service attack and you’ve been evaluating a tool that can help protect against these threats, it’s important to present your case as soon as possible so that your case is both relevant and helps to protect the organization from a similar attack in the future.

Last, following general attack trends can help you determine when to pitch different products. For example, tax season is just about upon us, so if you’re a financial company in need of additional layers of monitoring and protection against tax fraud, now’s the time to ask for buy-in.

2. Tally Your Resources

You and your team will be involved in implementing and managing the new tool, so be sure there are adequate resources and time to do so.

Often security tools wind up in the IT graveyard because teams underestimate the amount of work required to get them up and running. So, to maximize your security budget (and stay in the good graces of your higher ups) understand what resources are available to get the tool up and running before asking to purchase it.

These resources can include:

  • People:

    • Who will be involved in installation and maintenance?
    • Do other departments need to be involved?

  • Scope:

    • How long will it take to install and maintain?
    • How many systems does it involve?

  • Budget:

    • What’s the cost of the tool?
    • What’s the cost of renewal?
    • What’s the total cost of maintenance and support?

Additionally, we always encourage you to run a proof of concept (POC) with success criteria defined before buying any major security tool. A POC helps solidify that a new security product can fit into your current environment, and can also be strong proof for buy-in if successful. So take the time to understand what the options are for running one and who on your team will need to be involved to get the tool up and running for testing. Be sure to also communicate this and get permission of anyone you’re volunteering to be involved!

3. Rally a Team of Advocates

Having a team of advocates who also need the security product can greatly help your case. Depending on the tool, you’ll want to involve different stakeholders — from contributors who will use the tool, to directors who will be able to influence a particular metric with it.

For example, we recently spoke with the Director of Information Security for a major tech company who was trying to get buy-in for a security orchestration and automation, and the tactic that worked for him was getting other security departments and middle management influencers who also wanted the product involved so that even though the security product wasn’t in their budget, the case was strong, relevant, and a clear necessity.

With broader influence from across the organization, asking for buy-in can become a much more collaborative, campaign-driven process rather than an isolated, one-off request.

4. Know the ROI

At the end of the day, your executive team will want to know how the new tool will impact the bottom line. Especially if the tool you’re getting buy-in for isn’t in the budget, or is a much more expensive replacement to an existing tool, you’ll need to prove why this tool is worth it. The best way to do this is to explain how the tool can help reduce existing expenses and/or optimize the value of other security resources.

Here are the questions you should be prepared to answer:

  • How much time will this tool save the team?
  • Are there any tools we can get rid of in place of this new functionality?
  • Does this tool replace the need for any new hires?
  • What other efficiencies does it offer? (e.g. cutting down alert investigations from 20 minutes to five to accelerate the incident response process and reduce successful attacks)

P.S. We've got a white paper to help you calculate your the ROI!

5. Prepare Your Case

Once you know what tool you need, how it fits into your environment, and the resources you need to install and maintain it, it’s time to prepare your case. The more prepared you are, the easier it will be for the executive team to understand and approve the new security product so that you can get on with your day.

Remember: focus on this tool as a solution, not as a new shiny object.

To make it easy for you, here are the questions you should be prepared to answer:

  • Why are the current tools not sufficient enough to do this?
  • What measurable benefits will this new tool offer? (e.g. save manual time, detect threats faster, reduce cleanup costs, etc.)
  • In what other areas will this tool save time and/or money?
  • Will this tool optimize the value we get out of any other tools we’re currently using?
  • What is the total cost of the tool (include monthly fees, licensing fees, per seat fees, storage fees, and so on)?
  • Who will be responsible for integrating it and maintaining it?
  • Will any other personnel costs be involved?
  • Can we run a proof of concept (POC)? If so, how long will that take and how much personnel do we need?

While answering these questions may take a bit of time, it’ll be well worth it in the end when you make a strong, well thought-out case.

Getting Buy-In with Confidence

Armed with this post as a framework, you can quickly outline your case for new security tools. The more information you can bring to the table about a new tool, the better your executive team will understand its value in the broader context and the more they can see the need for it for you and the team.

Speaking of ROI, in our new white paper, we explain in detail how you can calculate security orchestration and automation's ROI — in both time savings and cost savings. We delve deep into the full spectrum of options:

  • The manual cost of security operations
  • The cost of building orchestration and automation
  • The benefits of an orchestration and automation platform
  • A before and after snapshot with time and cost comparisons

With this white paper, we'll prove the ROI for your security operations, and how it will dramatically improve your incident response. Download here.