Calculating the Cost of Securing Your Business

As the strategic importance of information security continues to grow for organizations of all sizes, and the complexity of information security increases across industries, business decisions are increasingly driven by the need to protect their intellectual assets and safeguard their IT infrastructure from evolving cybersecurity threats. Securing customer records, protecting sensitive financial information, and complying with regulatory requirements can create significant pressures on IT decision-makers and their resources. While many organizations have traditionally outsourced critical elements of their IT operations to managed service providers, more and more businesses are proactively outsourcing their security functions to specialized information security service providers. This has led to a need for evaluating the benefits of outsourcing security elements and comparing them to managing these processes internally. I wrote this article to help business leaders understand the best way to approach Managed Security Service Providers (MSSPs) in the context of Total Cost Ownership (TCO), a subject that is frequently discussed and of interest to both technical and non-technical leaders.

Internal Solutions or Outsourcing?

The key to evaluating MSSPs in the context of TCO lies in understanding the concept of Core vs Context, a crucial distinction that separates business activities into two clear and logical categories. Simply put, activities within your business that create differentiation from your customers' perspective fall into the "core" category, while everything else that your business does operationally to keep running falls into the "context" category. Businesses use such categorization to help them make outsourcing decisions, typically assigning core activities that directly contribute to a business's competitive advantage to be handled internally, while context activities that provide operational support are handed over to an outsourced provider such as an MSSP, thereby reducing costs. The main consideration in making this decision is financial, asking basic questions such as "Is it more expensive to manage this work internally than to outsource it to a reliable service provider?" With the increasing complexity of information security over time, requiring experienced cybersecurity managers, and driven by tighter budget constraints, many businesses are asking these questions to find the best financial solution for managing their IT and cybersecurity. Such TCO analysis often pushes businesses towards leveraging experienced and reliable managed security service providers to handle their cybersecurity. Evaluating the outsourcing of work using the "core vs context" approach is not a new concept, but it is the basis for evaluating it that is new. A decade ago, the decision to go internal or outsource was driven by the need to shift increasing technology and human resource costs from capital expenditure to operational expenditure. However, the focus now is on delivering high-level IT services, including cybersecurity, at a cost-effective rate. The shift towards outsourcing critical cybersecurity functions is part of the information security strategy in many organizations, driven by the need to deliver cost-effective cybersecurity services, provide access to specialized professionals who would be costly to hire, fulfill operational needs such as 24/7 cybersecurity monitoring, and provide predictable costs compared to unpredictable costs of internal solutions. When evaluating the financial benefits of using service providers to manage your cybersecurity functions, decision-makers must also understand that besides direct costs, there are indirect costs associated with managing security tasks. While calculating direct costs for managing your cybersecurity can be easily done, calculating indirect costs can sometimes be challenging. However, indirect costs must be a critical part of the evaluation process when comparing internal solutions for security to ensure an accurate comparison. Business leaders need to understand the overall costs of their cybersecurity operations, and this is where calculation errors in TCO analysis often occur. The only effective way to conduct accurate TCO analysis is for organizations to comprehensively calculate the actual costs. This extends beyond calculating "the cost of securing our business is X" and places it in the business context, understanding the cost per scanned email or the cost to secure each customer transaction.

Cybersecurity Costs

Calculating cybersecurity costs today is much more challenging than in the past because cybersecurity is embedded in business operations and integrated into your entire IT infrastructure, making it much more difficult to accurately calculate TCO. A balanced TCO analysis for cybersecurity operations should include the following:

Employee Costs - Recent research shows that up to 40% of businesses are dissatisfied with the investment they have made in cybersecurity technology because they do not employ a sufficient number of specialized employees to effectively enhance their business. For most mid-sized to large organizations, managing and monitoring cybersecurity alone requires a minimum of five full-time cybersecurity engineers and analysts, amounting to approximately $500,000 in direct salary costs (based on the average base salary of a security administrator). Then you have to account for additional costs such as training, office space, taxes, and benefits, which typically amount to 50% of additional costs beyond salaries. Furthermore, you need to consider that the average turnover rate for IT staff (including IT security staff) is 18 months, which forces you to factor in recruitment costs and the subsequent training of new hires. Many businesses then move their cybersecurity activities to MSSPs to avoid these long-term costs.

Infrastructure Costs - Your business will always require IT infrastructure in the form of security hardware, servers, and storage, but by leveraging an MSSP, you can eliminate these costs in the long term. Your business will no longer need to purchase, install, and manage security monitoring and infrastructure management, as your MSSP has likely made these investments on behalf of their clients and already utilizes the latest security technology. A good MSSP will also find ways to integrate these technologies with other software and hardware platforms, often incompatible with each other. They will also make significant investments in their own management environment and build a Cybersecurity Operation Center (CSOC) to support their work and eliminate the need for clients to make such investments.

Compliance Costs - One of the biggest advantages of partnering with an MSSP is the ability to reduce the time and effort required to meet compliance requirements since regulatory authorities consider the processes and control arrangements made by MSSPs during audits. MSSPs can be seen as a way to cost-effectively achieve the required compliance controls imposed by security regulations that govern your business. Typically, MSSPs are already aware of and prepared for these requirements, providing knowledge and guidance that surpasses what your own employees possess. By utilizing an MSSP and their services, a business can quickly and easily achieve regulatory compliance standards.

Incident Costs - When businesses think about cyberattacks, the best practice is to plan for the inevitable attack that will come one day, if it hasn't already. The question to ask is "when will the attack happen" rather than "will they attack." Businesses with future-oriented planning acknowledge that they will be impacted at some point and must prepare themselves to face the worst-case scenario. In addition to the primary objective of defending their perimeter from attacks, the main focus of their cybersecurity efforts is the ability to respond to attacks when they occur. The challenge lies in maintaining this posture, which requires significant and ongoing investment in skilled and certified individuals just to keep up with the ever-changing cybersecurity landscape. As MSSPs work with various clients, they have already hired individuals with these qualifications and extensive experience in incident response and remediation in cybersecurity.

Benefits of Using MSSPs

The main benefits of using MSSPs consist of cost factors and capabilities. MSSPs provide cybersecurity services at a lower cost than you can provide internally, while significantly enhancing your capabilities through experienced professionals.

Cost - When comparing the overall costs required to manage your cybersecurity internally versus the bill from an MSSP with predictable monthly costs, the results often show clear cost savings with MSSPs. In some cases, depending on your internal capabilities to manage cybersecurity, MSSPs offer significant cost savings compared to building your own internal capabilities. The key to unlocking this value from an MSSP relationship lies in their ability to provide the services you need at a much lower cost than if you were to provide the same services yourself. The benefits of using MSSPs can be substantial, not only in terms of actual cost savings but also by providing an opportunity for internal staff to focus on activities that are closer to the core competencies of the company. Since MSSP costs are subscription-based, they do not impact your capital budget, and many managers find it easier to obtain approval for operational costs (OPEX) than capital costs (CAPEX).

Capabilities - In addition to cost savings, the primary advantage of using MSSPs is to fill capability gaps within your organization. You don't have to build the capabilities you need; you can simply engage an MSSP that already possesses those capabilities. With their diverse experience and customer base, MSSPs are highly capable of handling routine cybersecurity missions to protect your networks and infrastructure from threats and maintain control over your firewall, handle intrusion detection and protection, and countless other tasks that collectively build your cybersecurity posture. If your business requires 24/7 monitoring and coverage, it is more sensible to hire an MSSP to provide those capabilities rather than hiring the personnel needed to provide the same level of capabilities internally. MSSPs allow you to leverage the collective experience and expertise of their specialized workforce, which typically possesses various cybersecurity skills and certifications, and they make significant investments in ongoing training for their staff. MSSP specialists have a much stronger position to manage your cybersecurity than internally hired staff.

Conclusion - With most businesses under budget pressures to produce greater results with fewer costs and many businesses seeking ways to maximize the value of their security investments, many organizations are moving towards the managed service model to provide various cybersecurity functions. If the relationship with an MSSP is managed correctly, IT organizations benefit from having access to the best capabilities available to them on a "pay-as-you-go" basis, which is often more favorable than requesting additional staff from the CFO or other senior executives and then having to bear the risk of downsizing during tough business cycles. Such financial flexibility is particularly attractive in any economic climate.