Cost
We all know that Cybersecurity has a cost. I define it as Cost of Doing something and Cost of Inaction. Both are cost that needs to be considered when working with Tactical Security. One cost is upfront and the other one is coming at a later date.
When calculating on the cost for solving a security issue
To determine the cyber security cost to a business for hardening its IT system against breaches, a security provider must perform an assessment of the business’ present needs. Here are the main factors for assessing the cost of the total solution the business requires:
If the provider performs an ongoing service: the cost and frequency of the service charge, the possible cost differential between contractual and pay-as-you-go service charges, and any fees for initiation of service an/or contract renewal
If the provider performs an ongoing service that provisions deployment of IT staff to the client’s site: the window of guaranteed response time the client selects, if optional
Should the provider perform a one-time service: the base price and any related fees
The listed assessments examine inherent elements of an IT system that hackers probe for vulnerabilities, which allow them to breach the system: core hardware / software elements and their procedural operation, perimeter hardware, network security tools, data storage processes, and user accounts. The expense of resolving vulnerabilities and optional service implementation to prevent recurrences comprise the majority of the cost for cyber security.
How much of your IT budget should you spend on Cyber Security?
American businesses are on track to spend about?$66 billion per year?on cyber security this year.?Gartner?forecasts that?the overall cyber security market will grow at a 7.8% compound annual growth rate through 2019. This would put security spending at less than 5% of worldwide IT spending.
Security spending as a percent of IT spend varies by industry. Fourteen percent of businesses spend between?3-4% of their IT budget on security. Another 21% spend 5-6% and 14% spend over 10% of their IT budget on security.
What does this mean for the average company? Given that businesses typically spend 3.62% of revenue on IT, according to?Deloitte, a $1 billion company will have an IT budget of $36.2 million and security spending of around $1.8 million. (It’s slightly confusing because IT as a percent of revenue is the same number as the cost of a data breach.) At this ratio, a big company with, say, the revenue of $50 billion, would spend about $90 million annually on security.
The decision theory model offers a way to look at the issue. You can spend to a level where you mitigate the risk of the predicted value of the loss. However, do you really want to be the one who lets the attack get through the firewall?
A sensible security budget will be high enough to make the security team confident it can defend itself against the worst threats and most damaging breaches. There’s no magic formula, unfortunately, but one thing is certain—smart spending is best. Spending in the right places is almost always worth it. For example, spending on recruiting and retaining the best SecOps people is an enduring investment in security.
The Cost of Inaction
When it comes to cybersecurity, the potential bill for not maintaining up-to-date cyber defenses is significant. The average cost for a small or mid-sized organization to remediate a ransomware attack is $1.82 million. The remediation costs are just part of the story: 66% of organizations were hit by ransomware last year, and 84% of those in the private sector said it caused them to lose business. While cyber insurance may cover some of the bills incurred due to the attack, it cannot mitigate all commercial costs.
领英推荐
A way to handle this is to minimize the costs (in the sense of Cost of Doing something) and hence let someone else do the investment. This can be done by implementing CSaaS, CyberSecurity as a Service.
Minimize the risk of a debilitating cyberattack: The cost of CSaaS services is considerably lower than the average cost of recovering from a ransomware attack.
Lower costs while elevating protection: Security operations is a highly complex activity. Individuals in this space need to possess a specific and niche set of skills, making that talent expensive, hard to recruit, and hard to retain. Through leveraging economies of scale, outsourced services are considerably more affordable. They also give you more bang for your buck, bringing a level of expertise and speed of response to the table that is nearly impossible to replicate in-house.
Accelerate delivery of strategic business initiatives: The urgent nature of cybersecurity operations often prevents IT and cybersecurity teams from focusing on more strategic challenges. Organizations that leverage CSaaS report that they have considerable capacity and efficiency improvements, enabling in-house teams to better support delivery of business-focused efforts.
Leverage existing investments: Security operations specialists use alerts from endpoint, network, email, cloud, and identity solutions that organizations already have in place to identify and neutralize suspicious activities. With CSaaS, existing tools can be leveraged in elevating the organization’s defenses — increasing effectiveness on prior investments.
Prioritizing cybersecurity is not just an operational necessity; it’s an economic imperative — and, for many, CSaaS is the only plausible solution amidst today’s macro-economic climate.
A good article on the topic is ROI is dead - long live COI (trainingzone.co.uk)
Backlink
Forwardlink
?