No matter the size, industry, or location, nearly every company today has a cybersecurity strategy. But there are many methodologies your organization can use to protect its digital assets and determining the right approach for your business means balancing your desired cybersecurity posture against your resource availability of staff and money.
Given the evolving threat landscape, reputation damage and financial harm that can result from a security incident, midsize organizations often struggle to determine how to implement an effective cybersecurity strategy while still being cost efficient.
We regularly work with clients who have these same questions. Through our years of experience building out a team of highly skilled cybersecurity experts, we’ve seen first-hand how demanding it can be—from both the cost and headcount standpoints—to develop and maintain an internal MDR. To help illustrate why expenses mount so quickly and how time-consuming the work conducted by a cybersecurity team really is, we’re launching a series of blog posts that dive into the details.
What does an effective cybersecurity team look like?
It’s important to understand the four distinct disciplines or roles that typically form the core of any skilled cybersecurity team.
Governance, risk management, and compliance
This function is sometimes part of the IT department but more often it’s a component within the risk management team. The role focuses on internal audit and third-party risk management functions and likely has a direct reporting line to the CISO when part of the IT team.
Threat management
Threat detection and incident response are at the heart of the threat management team, encompassing 24/7 monitoring of the company’s assets with risk mitigation related to attacks and security breaches. This group leverages a complex set of tools, which are necessary for not only monitoring but also analysis, forensic investigations, attack mitigation, breach containment, and remediation.
Security operations
SecOps utilizes tools that are core to the protection of the organization’s assets and the team’s responsibilities range across applications, endpoints, identity, edge, network, monitoring on compliance, management, and DevOps. The SecOps role focuses on the health, care, and feeding of the tools and platforms used to accomplish their tasks and ensuring activities are in alignment with best practices.
Transformation
In order to remain compliant with evolving regulatory standards and maintain parity with the constantly changing threat landscape, an organization must continuously re-assess and update its tools and technologies. The group managing the company’s digital transformation efforts needs to have a strategy and long-term plans to ensure new implementations align with the organization’s use cases and requirements over time.
Looking at the math of cybersecurity
Of the four core areas described above, threat management and SecOps are the most resource intensive and expensive components of a cybersecurity program. Threat management is complex and difficult, and it doesn’t scale down well. Minimum viable coverage 24/7 across the various key areas—threat monitoring, threat research and hunting, pen testing, content development, attack simulation, and incident response among them—typically requires at least 15-20 people based on deep research conducted as part of a master’s dissertation focused exclusively on the topic. That level of coverage provides only a single resource in each of the senior roles and doesn’t allow for redundancy. An effective, properly staffed threat management function is nearly impossible to accomplish without a hefty budget available to launch and sustain operations. Attaining similar coverage within a SOC operation is equally prohibitive, requiring more than two dozen individuals with highly targeted skills and expertise.
There are relationships between spend levels and security postures that are relatively similar throughout the SME space. Looking across the available reports, mid-market companies report their IT budgets are typically about 7% of revenue. From there, SMEs say they spend an average of between 10% and 15% of their total IT budget on security. Depending on the organization and its industry, cybersecurity spend can reach 25% of the overall IT budget.
From there, the math reveals just how difficult it is for SMEs to staff and fund a high-performing cybersecurity team completely within their own organization. Using the minimum resource count of 15 people and an average blended rate of $100,000 per headcount, the threat management salary bill alone could tally $1.5 million per year. Assuming the business has 25% of the IT budget available to use for cybersecurity—and also assuming the technology stack would only cost about double the salary bill—then the annual revenue of the organization needs to top $250 million to make an all-internal cybersecurity architecture financially feasible. Utilization rates and other factors may still render it undesirable from a monetary standpoint, potentially even having a negative ROI if the minimum viable requirements fall short of meeting the company’s needs.
Creating the right cybersecurity architecture
So how can midsize firms develop a cybersecurity strategy that blends key internal headcount resources with the right level of external expertise? How can your business keep costs reasonable without sacrificing quality, either in the skills or technology available to protect the organization’s systems and data assets?
There are strong business justifications for maintaining some services in-house and equally important use cases that point to cost-effective outsourcing for other functions. A carefully constructed blend of internal headcount and external expertise provides the monitoring, detection, and response capabilities you need with a financial commitment that fits your budget. The assessments of where those functions are best positioned are covered in more detail in the next post in our cybersecurity series to help you find the right balance for your organization.
Zane West is an accomplished global cyber security executive with more than 25 years’ experience with several large, highly regarded professional and IT services and security product and solutions companies. With proven expertise in both Security Architecture and Security Services, West oversees Carousel’s cybersecurity sales and strategy functions as it continues to prioritize security as a core and foundational growth pillar. West also partners with Carousel’s services team to develop new differentiated security services offerings.
Read More Posts From Zane
Security
The threats facing companies today are more complex than they were even a few years ago. Ransomware, for example, used to be considered an annoyance. But hackers have upped their game. The latest generation of ransomware attacks have caused businesses and government entities not only significant financial harm, in some cases they’ve brought operations to […]
7.20.2022
Security
As we look to a post-pandemic world, one of the areas of investment we can expect to see is in building resilience to destructive type attacks. 2020 saw a record number of distributed denial-of-service (DDoS) and ransomware attacks, which is only expected to continue through the rest of this decade. Many organizations are now looking to the […]
6.21.2021
Security
In an earlier post we looked at typical headcount costs and other expenditures to build and maintain the full scope of cybersecurity capabilities in-house. Those figures often put a completely internal team out of reach, but the good news is that a strong cybersecurity strategy doesn’t need to be an all-or-nothing effort. Here we’ll explore […]
5.27.2021
Security
Businesses have leveraged Internet of Things (IoT) capabilities for years and the use of these devices – sensors, monitors, and other smart technologies with Internet connectivity – is exploding. Unlike cell phones and laptops, IoT devices aren’t usually linked to any one user. Instead, they’re the communication component in a heart monitor that lets hospital […]
12.22.2020