logo
Cybersecurity

Calculating the Cost of Securing Your Business

Tips

When considering the cost of securing your business, it's important to first understand the differences between internal solutions and MSSPs (Managed Security Service Providers).

|
Jul 10, 2023
Calculating the Cost of Securing Your Business

As the strategic importance of information security continues to grow for organizations of all sizes, and the complexity of information security increases across industries, business decisions are increasingly driven by the need to protect their intellectual assets and safeguard their IT infrastructure from evolving cybersecurity threats. Securing customer records, protecting sensitive financial information, and complying with regulatory requirements can create significant pressures on IT decision-makers and their resources. While many organizations have traditionally outsourced critical elements of their IT operations to managed service providers, more and more businesses are proactively outsourcing their security functions to specialized information security service providers. This has led to a need for evaluating the benefits of outsourcing security elements and comparing them to managing these processes internally. I wrote this article to help business leaders understand the best way to approach Managed Security Service Providers (MSSPs) in the context of Total Cost Ownership (TCO), a subject that is frequently discussed and of interest to both technical and non-technical leaders.

Internal Solutions or Outsourcing?

The key to evaluating MSSPs in the context of TCO lies in understanding the concept of Core vs Context, a crucial distinction that separates business activities into two clear and logical categories. Simply put, activities within your business that create differentiation from your customers' perspective fall into the "core" category, while everything else that your business does operationally to keep running falls into the "context" category. Businesses use such categorization to help them make outsourcing decisions, typically assigning core activities that directly contribute to a business's competitive advantage to be handled internally, while context activities that provide operational support are handed over to an outsourced provider such as an MSSP, thereby reducing costs. The main consideration in making this decision is financial, asking basic questions such as "Is it more expensive to manage this work internally than to outsource it to a reliable service provider?" With the increasing complexity of information security over time, requiring experienced cybersecurity managers, and driven by tighter budget constraints, many businesses are asking these questions to find the best financial solution for managing their IT and cybersecurity. Such TCO analysis often pushes businesses towards leveraging experienced and reliable managed security service providers to handle their cybersecurity. Evaluating the outsourcing of work using the "core vs context" approach is not a new concept, but it is the basis for evaluating it that is new. A decade ago, the decision to go internal or outsource was driven by the need to shift increasing technology and human resource costs from capital expenditure to operational expenditure. However, the focus now is on delivering high-level IT services, including cybersecurity, at a cost-effective rate. The shift towards outsourcing critical cybersecurity functions is part of the information security strategy in many organizations, driven by the need to deliver cost-effective cybersecurity services, provide access to specialized professionals who would be costly to hire, fulfill operational needs such as 24/7 cybersecurity monitoring, and provide predictable costs compared to unpredictable costs of internal solutions. When evaluating the financial benefits of using service providers to manage your cybersecurity functions, decision-makers must also understand that besides direct costs, there are indirect costs associated with managing security tasks. While calculating direct costs for managing your cybersecurity can be easily done, calculating indirect costs can sometimes be challenging. However, indirect costs must be a critical part of the evaluation process when comparing internal solutions for security to ensure an accurate comparison. Business leaders need to understand the overall costs of their cybersecurity operations, and this is where calculation errors in TCO analysis often occur. The only effective way to conduct accurate TCO analysis is for organizations to comprehensively calculate the actual costs. This extends beyond calculating "the cost of securing our business is X" and places it in the business context, understanding the cost per scanned email or the cost to secure each customer transaction.

Cybersecurity Costs

Calculating cybersecurity costs today is much more challenging than in the past because cybersecurity is embedded in business operations and integrated into your entire IT infrastructure, making it much more difficult to accurately calculate TCO. A balanced TCO analysis for cybersecurity operations should include the following:

Employee Costs - Recent research shows that up to 40% of businesses are dissatisfied with the investment they have made in cybersecurity technology because they do not employ a sufficient number of specialized employees to effectively enhance their business. For most mid-sized to large organizations, managing and monitoring cybersecurity alone requires a minimum of five full-time cybersecurity engineers and analysts, amounting to approximately $500,000 in direct salary costs (based on the average base salary of a security administrator). Then you have to account for additional costs such as training, office space, taxes, and benefits, which typically amount to 50% of additional costs beyond salaries. Furthermore, you need to consider that the average turnover rate for IT staff (including IT security staff) is 18 months, which forces you to factor in recruitment costs and the subsequent training of new hires. Many businesses then move their cybersecurity activities to MSSPs to avoid these long-term costs.

Infrastructure Costs - Your business will always require IT infrastructure in the form of security hardware, servers, and storage, but by leveraging an MSSP, you can eliminate these costs in the long term. Your business will no longer need to purchase, install, and manage security monitoring and infrastructure management, as your MSSP has likely made these investments on behalf of their clients and already utilizes the latest security technology. A good MSSP will also find ways to integrate these technologies with other software and hardware platforms, often incompatible with each other. They will also make significant investments in their own management environment and build a Cybersecurity Operation Center (CSOC) to support their work and eliminate the need for clients to make such investments.

Compliance Costs - One of the biggest advantages of partnering with an MSSP is the ability to reduce the time and effort required to meet compliance requirements since regulatory authorities consider the processes and control arrangements made by MSSPs during audits. MSSPs can be seen as a way to cost-effectively achieve the required compliance controls imposed by security regulations that govern your business. Typically, MSSPs are already aware of and prepared for these requirements, providing knowledge and guidance that surpasses what your own employees possess. By utilizing an MSSP and their services, a business can quickly and easily achieve regulatory compliance standards.

Incident Costs - When businesses think about cyberattacks, the best practice is to plan for the inevitable attack that will come one day, if it hasn't already. The question to ask is "when will the attack happen" rather than "will they attack." Businesses with future-oriented planning acknowledge that they will be impacted at some point and must prepare themselves to face the worst-case scenario. In addition to the primary objective of defending their perimeter from attacks, the main focus of their cybersecurity efforts is the ability to respond to attacks when they occur. The challenge lies in maintaining this posture, which requires significant and ongoing investment in skilled and certified individuals just to keep up with the ever-changing cybersecurity landscape. As MSSPs work with various clients, they have already hired individuals with these qualifications and extensive experience in incident response and remediation in cybersecurity.

Benefits of Using MSSPs

The main benefits of using MSSPs consist of cost factors and capabilities. MSSPs provide cybersecurity services at a lower cost than you can provide internally, while significantly enhancing your capabilities through experienced professionals.

Cost - When comparing the overall costs required to manage your cybersecurity internally versus the bill from an MSSP with predictable monthly costs, the results often show clear cost savings with MSSPs. In some cases, depending on your internal capabilities to manage cybersecurity, MSSPs offer significant cost savings compared to building your own internal capabilities. The key to unlocking this value from an MSSP relationship lies in their ability to provide the services you need at a much lower cost than if you were to provide the same services yourself. The benefits of using MSSPs can be substantial, not only in terms of actual cost savings but also by providing an opportunity for internal staff to focus on activities that are closer to the core competencies of the company. Since MSSP costs are subscription-based, they do not impact your capital budget, and many managers find it easier to obtain approval for operational costs (OPEX) than capital costs (CAPEX).

Capabilities - In addition to cost savings, the primary advantage of using MSSPs is to fill capability gaps within your organization. You don't have to build the capabilities you need; you can simply engage an MSSP that already possesses those capabilities. With their diverse experience and customer base, MSSPs are highly capable of handling routine cybersecurity missions to protect your networks and infrastructure from threats and maintain control over your firewall, handle intrusion detection and protection, and countless other tasks that collectively build your cybersecurity posture. If your business requires 24/7 monitoring and coverage, it is more sensible to hire an MSSP to provide those capabilities rather than hiring the personnel needed to provide the same level of capabilities internally. MSSPs allow you to leverage the collective experience and expertise of their specialized workforce, which typically possesses various cybersecurity skills and certifications, and they make significant investments in ongoing training for their staff. MSSP specialists have a much stronger position to manage your cybersecurity than internally hired staff.

Conclusion - With most businesses under budget pressures to produce greater results with fewer costs and many businesses seeking ways to maximize the value of their security investments, many organizations are moving towards the managed service model to provide various cybersecurity functions. If the relationship with an MSSP is managed correctly, IT organizations benefit from having access to the best capabilities available to them on a "pay-as-you-go" basis, which is often more favorable than requesting additional staff from the CFO or other senior executives and then having to bear the risk of downsizing during tough business cycles. Such financial flexibility is particularly attractive in any economic climate.

Share this post

You may also like

A Guide to CSOC
Cybersecurity

A Guide to CSOC

Hacks

CSOC stands for Cyber Security Operation Center, but it can be a bit confusing because CSOC teams can also be referred to as Computer Security Incident Response Teams (CSIRT), Computer Incident Response Centers (CIRC), Security Operations Centers (SOC), or Computer Emergency Response Teams (CERT). For the purpose of this article, we will stick to the term CSOC. CSOC works in defense to combat unauthorized activities occurring in strategic networks. Its activities include monitoring, detection, analysis, response, and restoration. CSOC is a team of network security analysts organized to detect, analyze, respond to, report, and prevent network security incidents 24/7, 365 days a year. There are various types of CSOCs categorized based on their organizational and operational models, so let's delve deeper and take a closer look at the different types of CSOCs. Virtual CSOC: As the name suggests, this type of operation often lacks dedicated facilities, and team members work periodically using a reactive approach to cyber threats. I believe that the reactive capabilities of virtual CSOCs cannot be sustained

|
Jul 10, 2023 7 minutes read
Four Strong Reasons to Use an MSSP
Cybersecurity

Four Strong Reasons to Use an MSSP

Test

The multitude of challenges to be faced is the main reason why most organizations today are turning to managed security service providers (MSSPs) to help them address these issues. The challenges of strengthening human resources, processes, and technologies as efforts to secure their intellectual property and data appropriately, while still complying with cybersecurity regulations, can be a daunting task even for well-managed IT departments. With these considerations in mind, here are four main reasons why I prefer MSSPs over in-house security. USING MSSP SAVES YOU MONEY Building, running, and maintaining a cybersecurity ecosystem comes with significant costs. One of the reasons is that many software solutions require specialized hardware and equipment to run, and they often come with recurring licensing costs. Additionally, the salaries of cybersecurity employees and the training they need to effectively utilize new tools and technologies add to the expenses. One of the CFO's favorite aspects of using MSSP is that it can replace the capital expenditures often needed to add new tools with a large

|
Jul 10, 2023 5 minutes read
Top Five Cybersecurity Threats to Small Business Owners
Cybersecurity

Top Five Cybersecurity Threats to Small Business Owners

According to a recent Verizon Data Breach Investigations Report, over the past two years, small and medium-sized businesses have become the primary target of cybercriminals, and they are now more affected by cyber breaches than large-scale businesses. Cyberattacks on SMEs have increased because cybercriminals have predicted that small and medium-sized enterprises have fewer resources to dedicate to their security. Most SMEs lack dedicated security professionals, and they are too small to afford them. This makes them vulnerable and easy targets for cybercriminals. In this context, neglecting security is no longer an option, and the assumption that your business is too small to attract the interest of cybercriminals is unrealistic. TOP FIVE CYBER THREATS AFFECTING SMALL AND MEDIUM-SIZED ENTERPRISES Incompatible Operating Systems and Software: Ensure that your computers and the software running on them are up to date. This is crucial and forms a solid foundation for good security practices. Hackers exploit vulnerabilities in outdated software and operating systems, often infiltrating organizations. Failing to apply software and operating system updates when they

|
Jul 20, 2023 5 minutes read

Receive weekly
updates on new posts

Subscribe