What does (cyber-) security cost?

What does (cyber-) security cost?

It’s the time of the year when a well known company released their annual “cost of data breach” report, so the same time when you see many security experts respond to it.

Avij (talk · contribs), Public domain, via Wikimedia Commons

Site note: I took a very nice walk in the park with a friend of mine yesterday, based on the chat we had we maybe need to re-think (pun intended) the “well known” part of the statement above, but that’s a different story.

Anyway, reading the report and some of the responses kept me thinking. We worry about the cost of a data breach and the 4.35 million USD will be a nice wake up call for readers working in the security group of a mid-sized company. Mid-sized company, because, well you see, I believe this is the kind of company where this amount of money actually hurts the most.

What does it cost to prevent a data breach?

There is a short and a long answer, for the long answer please read what my buddy Richard has to say:

The short answer is:
your whole security approach determines the cost of your prevention. That does not tell anything about how good or bad you are in preventing it and it could mean that your annual prevention spending is that cost plus one or two data breaches.

But, as I am a fan of an holistic approach, the security costs are more than your Detection, Response and Remediation costs. This comes back to basic infrastructure, some things which are more basic than your SIEM, SOAR, DLP. We need to think about:

  • Firewalls and network infrastructure, maybe you want some firewalls with mirror ports to inspect and analyze data
  • Reverse proxies, for filtering urls and blocking potential harmful websites and of course providing logs
  • Vulnerability scanning and maybe doing some threat analytics based on CVE reported by feeds and the scan results
  • Code scanning for DevOps, checking if your code has any vulnerabilities
  • Phishing training, security awareness and privacy training

this list may can go on and on, but what should be obvious is that some of the costs are hidden in the traditional departments. Maybe IT or the NOC has paid for the Firewalls and proxies, maybe code scanning is done by DevOps and all the training paid by HR.

But bottom line, these all contribute to your security posture and you also want to make sure that they are done, because if you ignore code scanning it will still lead to a data breach you haven’t been prepared for (… and you did spend money which did not help prevent it)

New Title: Does preventing a data breach cost more than a data breach?

The annual report by Ponemon Institute, which is sponsored, analyzed and published by IBM Security® highlights some of the cost factors which contribute negatively and positively to the cost of a data breach.

Avij (talk · contribs), Public domain, via Wikimedia Commons

As you can see in the picture above, there are some key factors which impact the average cost, a question which stays is what does this impact cost?

Example: Let’s say you use AI to predict certain malicious actors or certain abnormal behavior. You have a larger company and you create ±50GB of security relevant data every day (not that much actually) via SIEM, data lakes, firewalls, email services, authentication, data loss prevention, VPN endpoints, cloud metrics and so on.
We will use Google’s Vertex AI in this example and just do some thought play.

  • 2 Analysts dedicated to the project (Data Engineer, Washington based, via Glassdoor) 114,000 USD each [228K USD PER YEAR]
  • Vertex AI Machine learning (via Vertex pricing page) 50GB * 3,40 USD per day [63.240 USD PER YEAR]
  • Google Storage (via Google pricing page) 0,020 USD per GB [±317 USD PER YEAR]

Savings: 300.075 USD
Cost: 291.567 USD

Glad that the numbers turned out this way, quite honestly I was afraid that the cost was higher than the savings, which would have not helped to make a point 🙂

As this small example shows, yes, on average, building up a good security posture will reduce the costs, but it does not come for free. I am not generally a fan of offering a solution which cost you more then you may lose otherwise.

That’s it for today, please leave a 👏 and be excellent to each other.