Malaysia’s Cyber Spending Squeeze: The Hidden Costs Leaders Miss When ‘Upgrading Security’
Because Security Leaders Need to Feel Empowered to Make Financially Sound Decisions Without Compromising Security Performance

As 2026 progresses, insulating your organisation from risk will require smart, strategic investments. With digital services, cross-border connectivity, and third-party reliance all growing, the way attacks unfold has changed and they now have more time to fly in under the radar.
At the same time, security leaders are expected to justify security investments by demonstrating the tangible value they deliver. Even at the national level, Budget 2025 tabled by Prime Minister Datuk Seri Anwar Ibrahim underscored that decision-makers—be it private or public sectors—need to balance cyber defence spending with fiscal responsibility.
To avoid costs overrunning, security leaders need to avoid these three common mistakes:
Mistake #1: Prolonging Evaluation and Deployment Timelines
Adopting a new tool or upgrading security vendors requires a careful evaluation of the potentially soon-to-be deployed software. This is especially true of solutions like web application firewalls (WAFs) that handle sensitive data and impact customer experience.
Now with the rise of WAFs that run on Artificial Intelligence (AI) and machine learning, the process may need a tuning phase for these models to observe and understand traffic patterns. Delays at this stage can also expose applications to potential attacks or vulnerabilities due to inadequate security coverage.
Even after successfully navigating the proof-of-concept phase, procurement and deployment can present further obstacles. Complicated pricing structures and procurement processes can slow down or even stop adoption, while extensive deployments—even for tuning the WAF’s “monitoring mode”—can result in sunk personnel time and resources.
Recommendation: Streamline WAF evaluation and deployment.
To streamline evaluation, teams should confirm average deployment times, technical requirements, and legal/procurement estimates early on. They should also align with the vendor on any technological or organisational hurdles beforehand.
Surfacing these details early reduces wasted cycles, shortens deployment timelines, and protects applications without unnecessary costs or personnel strain.
Mistake #2: Underestimating Total Cost of Ownership
In addition to contract prices, the total cost of ownership (TCO) of a WAF includes fees, headcount expenses, site downtime, and overages.
It is therefore crucial that decision-makers understand the features of their soon-to-be WAF. Some require multiple headcounts to manage rules, address false positives, and monitor alerts. Others are less configurable, and making changes relies on professional services or support teams.
These unforeseen costs can quickly escalate just to achieve the level of protection you need. Inflexible deployment options also limit cost-saving opportunities, such as edge computing and serverless functions.
Subpar customer service further compounds the problem. Lengthy service level agreements (SLAs) and slow ticket responses can delay timely attack mitigation and vulnerability virtual patching, or even prevent a site from coming back online. Not only does this send TCO ballooning, it also undermines security.
Recommendation: Estimate TCO with cross-functional stakeholders.
Because a WAF involves many parts of the business, silos are a major hurdle to accurately estimating a WAF’s TCO beyond the contract price. Interviewing highly-impacted cross-functional teams, like site reliability, DevOps, customer support, and incident response, can reveal a WAF’s efficacy. Security leaders can also get a clearer picture by poring over first- and third-party content about the vendor.
During the evaluation phase, security leaders should seek out a WAF provider that has clear SLAs and overage policies to estimate potential costs. Some WAFs also require professional services to configure, tune, or maintain effectively.
Resources such as Gartner Peer Insights, or the Total Economic Impact™ (TEI) report provide real user experiences from a variety of different company sizes and verticals, offering insight into these costs and what it actually takes to get value from your investment.
Mistake #3: Impeding Agile Development and DevOps Processes
Any process that slows down the software development lifecycle (SDLC) can result in wasted development hours and potential loss of sales which put security budgets under additional scrutiny.
Meanwhile, the rise of DevOps has enabled faster and more efficient workflows. However, many WAFs lack the automation, accuracy, and flexibility needed to keep pace. Updating WAF rules becomes a delicate, time-consuming task as it risks breaking applications, leading to increased development time and higher labour costs. Additionally, frequent false positives can lead to over-tuned WAF rules, blocking real users, and lowering potential profits.
This not only slows down development cycles but also contributes to higher labour costs as teams spend time troubleshooting or rewriting rules. Removing this friction requires on-demand deployment of WAF protections that do not come with the potential of rules breaking the application. This will enable developers to maintain velocity, reduce costs, and deliver new features without introducing security bottlenecks.
Recommendation: Choose a WAF that embraces agile development.
The speed of business demands that developers adopt the philosophy of “Always Be Shipping,” and security must evolve to keep pace. If preventing security incidents is not enough to justify budgets, security leaders can show how a modern WAF enables faster and safer product development.
When evaluating a WAF, prioritise solutions that keep the company shipping. This includes integration with DevOps tools and practices, automated rule updates, and support for multiple deployment options and architectures.
Empowering Well-Founded Decision-Making
These mistakes facilitate the ballooning of security spending, and they are not always obvious, but when their impact is felt, security leaders are then put on the spot during budget planning.
Security leaders need to feel empowered to make financially sound decisions without compromising security performance.
With cyber resilience critical to thriving well into the future, having all the necessary information to select a modern, Next-Gen WAF ensures people across the organisation can innovate and operate with confidence.



