Partner of:
Security tools are a necessary expenditure for any business. We are all aware of the role they play, but a better question is, "What are the actual costs associated with procuring and managing them in our own environment? "Having worked in the cybersecurity realm for quite some time now, the question we get asked the most is "How much will it all cost?" If you've ever posed this question, you know the typical reply: "Well, it’s intricate." This article aims to transform that answer into an insightful, data-backed understanding of the current costs of cybersecurity in 2023. We're taking a broad approach to quantify the general costs for most companies. The goal here is to provide a data-driven, digestible answer, that you can confidently present to a planning committee without second-guessing your budgeting decisions or knowledge on the subject. Our analysis is not without some margin of error, but we have done our best to base these numbers and estimates on real world data and observations. However, as your parents probably said, "take this with a grain of salt". We will demystify the costs by:
1. Evaluating the tools you should prioritize based on our previous "Building Your Security Toolset" article; compiling a list of security tools starting with the most value they provide in safeguarding your business.
2. Breaking down the licensure cost of these security functions; cybersecurity licensure isn’t free, but strategic choices can greatly lower their cost.
3. Breaking down the operational cost of maintaining your security posture; purchasing the licensure is just the beginning, with constant monitoring and response measures being necessary to optimize utility.
4. Marrying all the data together using industry analysis; combining raw cost with the average cost of an analyst to manage your items, we will provide a final value for how much all of this might cost.
We are going to start by taking cues from the "Building Your Security Toolset" article and translating them into a more digestible sequence based on the value to the business. If there were no ransomware, no malicious actors intent on crippling critical infrastructure, we wouldn't need protection. The system works so that the higher on the list a control is, the more important it is to have and the more value it will provide in protecting the business. All steps are crucial to a company’s long-term security success, but starting the process of incorporating cybersecurity should be checkpoint-driven, not destination-driven. Here's our recommended order of adoption:
1. Incident Response: Regardless of whether all the security or none of the security exists, incident response tools and capability are your final line of defense. When cyberattacks occur, the speed and effectiveness of your response can make the difference between a minor annoyance and a major catastrophe. Therefore, ensuring you have robust incident response capability in the face of an incident first gets the highest prioritization as it mitigates the damage a cyber-attack can cause and kickstarts your recovery efforts.
2. Identity and Access Management (IAM):With your incident response in order, the next priority is to prevent unauthorized access to your system. IAM ensures that only verified individuals have access to your resources, minimizing the chances of internal threats and breaches, because no matter how many security controls are in place the principal of least privilege should always be followed first and foremost.
3. Email Security: With user’s access secured and privilege managed, it’s time to tackle the largest threat delivery vector: email. Ensuring your email security is configured to mitigate and prevent phishing scams, malicious software attachments, and ensure secure delivery is paramount to stopping threats before needing tools to mitigate their presence.
4. Data Security: Your data is one of your most valuable assets. With users and email secure, working on controlling who can access data through collaboration controls is one of the last “easy” wins we can get before getting more into the weeds on security tools which require major deployment or extensive attention.
5. Device Management: It was a tough decision to put device management below email and data security, however, device management marks the point where management and deployment starts to get more involved. Device management involves joining devices for management to maintain their updates, security baseline, and tracking within an mobile device management system. Keeping tabs on devices is an essential, albeit involved, step that solidifies the robustness of a security deployment and galvanizes response and monitoring capability.
6. Centralized Logging: A holistic view of logs gives you the ability to monitor your entire digital environment from a single place. By pulling events and alerting into one place, centralized logging helps you monitor the system as a while and nip potential threats in the bud while also creating more robust auditing capability for reviews.
7. Data Loss Prevention (DLP): Placing DLP as the final step is due to the typical high false-positive rate and high eyes-on-glass requirement that an implementation of DLP demands. Preventing specific data from leaving the environment, while allowing everything else, is the final stage evolution for how security should function in most organizations, but it should only be implemented when all other areas are in place and the security team is mature enough to truly commit to what it requires to do it right.
Understanding how much security tooling licensure costs is easy. Security tool provider costs can vary from tool to tool; however, we recommend using Microsoft offerings for security tools. By using Microsoft, we can bundle the security tool cost with what most businesses use for productivity in Business Premium licensure, which is delivered at a subsidized cost to small businesses for up to 300 licenses. When purchasing these, we also recommend the yearly commitment price at $22 which can shave $2,640 off 50 users per year, as compared to a monthly subscription of $26.40.
Understanding how much money it may take to operate the security tool takes more effort; we have multiple variables to account for now. In our calculations, we will assume an environment where 50 typical users exist. They know their way around a computer, but still have needs such as email releases or device help. Based on real-world usage and observed analyst time, we came up with the following estimates of attention requirements when using Microsoft tooling:
Incident Response via Defender for Endpoint: Managing and monitoring incident response using a solution such as Defender for Endpoint focuses on quickly identifying critical threats and responding back quickly and methodically. Management typically entails the creation of playbooks, alerting, and detection rules to identify threats. Response is where the largest portion of attention is given, and actions can range from documentation of the incident, communication with stakeholders, containment of the threat, and eradication of the threat from the environment. Given these responsibilities, it is hard to place a definitive and predictable time commitment for the tool, but we know that they should be available 24/7/365, management should be continuous, and response could be erratic. We will naively assume our environment has very few incidents, and we can get away with an average of 3 hours working on incidents every week.
Identity and Access Management (IAM) via Azure AD: Managing and monitoring an identity and access management solution such as Azure AD focuses on how identities interact and their responsibilities. Management typically entails moving users in/out of groups as needed, the adjustment of conditional access, and completion user-initiated password or MFA resets. Monitoring for suspicious logins and role usage should be done periodically to catch potential threats. Given these responsibilities, a security analyst might spend around 3hours per week working in this tool.
Email Security via Defender for Office 365: Managing and monitoring an email security solution such as Defender for Office 365 focuses on how email is analyzed and delivered. Management typically entails making tweaks to email security policy and the exclusion of senders/domains from rules. Monitoring for held email and suspicious email being delivered should be done periodically to catch potential threats. Given these responsibilities, a security analyst might spend around 3 hours per week working in this tool.
Data Security via SharePoint and OneDrive: Managing and monitoring a data security solution such as SharePoint and OneDrive focuses on how data is kept private. Management typically entails making allowances for sharing within Azure AD and the SharePoint portal. Monitoring for overly permissive sharing invitations should be done periodically to catch potential threats. Given these responsibilities, a security analyst might spend around 1 hour per week working in this tool.
Device Management via Intune: Managing and monitoring a mobile device management solution such as Intune focuses on how devices are secured and monitored. Management typically entails the development of configuration profiles, modification of compliance policy, and exclusions to any security policy. Monitoring for antivirus absence and profile deployment failure should be done periodically to catch potential threats. Given these responsibilities, a security analyst might spend 8 hours per week working in this tool.
Centralized Logging via Sentinel: Managing and monitoring a centralized logging solution such as Sentinel focuses on drawing connections between data and investigating suspicious activity. Management typically entails creating new connections to data and refining playbooks/alerts to catch suspicious activity. Monitoring for suspicious logs and alerts should be done constantly to catch potential threats. In a mature environment, a dedicated analyst would spend 40 hours a week in the tool; however, it’s safe to assume our scope can be narrowed and 10 hours a week is adequate for monitoring of the logs.
Data Loss Prevention (DLP) via Purview: Managing and monitoring a data loss prevention solution such as Purview focuses on preventing sensitive data from leaving while allowing normal operations to continue. Management typically entails creating new policy/tuning existing policy to be more accurate, along with the exclusion of users or situations from rules. Monitoring for suspicious uploads and alerts should be done constantly to catch potential threats. Typically DLP calls for a dedicated analyst similar to Sentinel, however, we will again narrow our scope and assume 6 hours a week to catch most DLP events and be relatively speedy in response to alerts to keep business moving.
With all the above data, we come up with the requirement of 34 hours of time that a security analyst should be devoting to properly manage and monitor the tools described. Given real-world variability and the fact that people are not robots, it is safe to draw a conclusion that for our 50 user company, a full-time cybersecurity analyst should be employed. Looking at our market analysis, we find that the average entry level cybersecurity analyst makes between $60k-$80k a year; take the average of this at $70k. We would be putting a lot on this analysts’ shoulders – since they would still need time to set up all of the tools and form their own workflows for responding to requests – but it is possible. In an ideal world we would have a configuration done for them to manage, but since we are trying to keep costs down, we can take the hit of delayed time to value and assume they can help us set it all up.
We have gathered our data, understand the why behind the numbers, and now are armed with quantitative evidence on how much it is going to cost to run cybersecurity for a company of 50 users. Here are the results:
The data we've dissected may strike a sobering chord, possibly evoking images of you in a virtual fetal position, especially if your board of directors had to ponder over footing the luncheon bill for a potential client. Even if you manage to pay up now, there's still more money to be lost in the time it takes to get everything up and running. And this is assuming your entry-level analyst is a genius at Azure security, which is not likely.
For most businesses, the number we just arrived at is the cost haunting every balance sheet and is essentially target practice for the board of directors to shoot down. If there is to be any progress towards security in a business, we must pursue another way which is easier to justify and can be slowly waded into. The follow up to this article will explain how this can be achieved, and work as a way to introduce cybersecurity at a pace which is more digestible in terms of its cost and more agile in accordance with our ranking system. For now, though, it truly looks as though in-house cybersecurity for smaller businesses is not economically feasible, and we need a smarter way to get to “yes” for spending money on cybersecurity.
Copyright © 2022 Security Connections. All rights reserved.
