This should be the biggest area of focus. When procuring new solutions or services, ask: Will this purchase enhance my understanding of new threats or is it just a better enforcement/policy mousetrap? When upgrading an existing security portfolio, seek solutions that are heavily tilted toward intelligence while providing the necessary policy/enforcement as simple add-ons or freebies. One example would be investment in endpoint AV software; instead of upgrading the existing AV software, see if it makes sense to use free AV solutions from reputed vendors and combine it with investment in next-generation network or endpoint malware detection and response tools.
Another area to look after is compliance. Compliance directives take years to catch up to the new realities. If required by the compliance directives, seek products that would also help in the "intelligence" bucket while satisfying the old compliance requirements. One example of this would be IDS/IPS products. Instead of investing further in these areas, look at network-based threat detection technologies that may provide this functionality as a simple add-on or base capability.
In general, if you are writing a large check for endpoint antivirus, Firewall, IDS/IPS etc., pause and ask if this investment improves your "intelligence" capabilities. If not, consider how this investment can be minimized in order to align the remaining funding with the security needs of today.
Security is a hot topic today. Only a few years ago, security was on the back burner of most IT departments, seen as a necessary evil with few executives ever exposed to it. With the recent spate of high-profile attacks and ensuing losses, IT security is now viewed as the difference between an organization's ability to carry out its mission and going out of business. This is why security is a topic frequently appearing on board meeting agendas and piquing the interest of C-suite executives.
While funding and awareness have increased, it is unclear if organizations are making investments in keeping up with the evolving security landscape. A lot of the newly available funding and resources have been allocated to the existing funding gaps and "perceived" deficiencies in an organization's security posture. This is why IT security is a $58B market today but organizations are not any safer than they were a few years ago. In this slideshow, Shel Sharma, marketing manager at security startup Cyphort, discusses the evolution in the security landscape and how to align new security budgets and resources with this new paradigm vs. investing in more of the same old security.