No matter the size, industry, or location, nearly every company today has a cybersecurity strategy. But there are many methodologies your organization can use to protect its digital assets and determining the right approach for your business means balancing your desired cybersecurity posture against your resource availability of staff and money.
Given the evolving threat landscape, reputation damage and financial harm that can result from a security incident, midsize organizations often struggle to determine how to implement an effective cybersecurity strategy while still being cost efficient.
- What’s the right structure for a partnership with an MSSP or MDR provider?
- Which roles make sense to outsource and what should we keep in-house?
- Can’t I hire two people to manage security for the same price as a vendor?
We regularly work with clients who have these same questions. Through our years of experience building out a team of highly skilled cybersecurity experts, we’ve seen first-hand how demanding it can be—from both the cost and headcount standpoints—to develop and maintain an internal MDR. To help illustrate why expenses mount so quickly and how time-consuming the work conducted by a cybersecurity team really is, we’re launching a series of blog posts that dive into the details.
What does an effective cybersecurity team look like?
It’s important to understand the four distinct disciplines or roles that typically form the core of any skilled cybersecurity team.
Governance, risk management, and compliance
This function is sometimes part of the IT department but more often it’s a component within the risk management team. The role focuses on internal audit and third-party risk management functions and likely has a direct reporting line to the CISO when part of the IT team.
Threat detection and incident response are at the heart of the threat management team, encompassing 24/7 monitoring of the company’s assets with risk mitigation related to attacks and security breaches. This group leverages a complex set of tools, which are necessary for not only monitoring but also analysis, forensic investigations, attack mitigation, breach containment, and remediation.
SecOps utilizes tools that are core to the protection of the organization’s assets and the team’s responsibilities range across applications, endpoints, identity, edge, network, monitoring on compliance, management, and DevOps. The SecOps role focuses on the health, care, and feeding of the tools and platforms used to accomplish their tasks and ensuring activities are in alignment with best practices.
In order to remain compliant with evolving regulatory standards and maintain parity with the constantly changing threat landscape, an organization must continuously re-assess and update its tools and technologies. The group managing the company’s digital transformation efforts needs to have a strategy and long-term plans to ensure new implementations align with the organization’s use cases and requirements over time.
Looking at the math of cybersecurity
Of the four core areas described above, threat management and SecOps are the most resource intensive and expensive components of a cybersecurity program. Threat management is complex and difficult, and it doesn’t scale down well. Minimum viable coverage 24/7 across the various key areas—threat monitoring, threat research and hunting, pen testing, content development, attack simulation, and incident response among them—typically requires at least 15-20 people based on deep research conducted as part of a master’s dissertation focused exclusively on the topic. That level of coverage provides only a single resource in each of the senior roles and doesn’t allow for redundancy. An effective, properly staffed threat management function is nearly impossible to accomplish without a hefty budget available to launch and sustain operations. Attaining similar coverage within a SOC operation is equally prohibitive, requiring more than two dozen individuals with highly targeted skills and expertise.
There are relationships between spend levels and security postures that are relatively similar throughout the SME space. Looking across the available reports, mid-market companies report their IT budgets are typically about 7% of revenue. From there, SMEs say they spend an average of between 10% and 15% of their total IT budget on security. Depending on the organization and its industry, cybersecurity spend can reach 25% of the overall IT budget.
From there, the math reveals just how difficult it is for SMEs to staff and fund a high-performing cybersecurity team completely within their own organization. Using the minimum resource count of 15 people and an average blended rate of $100,000 per headcount, the threat management salary bill alone could tally $1.5 million per year. Assuming the business has 25% of the IT budget available to use for cybersecurity—and also assuming the technology stack would only cost about double the salary bill—then the annual revenue of the organization needs to top $250 million to make an all-internal cybersecurity architecture financially feasible. Utilization rates and other factors may still render it undesirable from a monetary standpoint, potentially even having a negative ROI if the minimum viable requirements fall short of meeting the company’s needs.
Creating the right cybersecurity architecture
So how can midsize firms develop a cybersecurity strategy that blends key internal headcount resources with the right level of external expertise? How can your business keep costs reasonable without sacrificing quality, either in the skills or technology available to protect the organization’s systems and data assets?
There are strong business justifications for maintaining some services in-house and equally important use cases that point to cost-effective outsourcing for other functions. A carefully constructed blend of internal headcount and external expertise provides the monitoring, detection, and response capabilities you need with a financial commitment that fits your budget. The assessments of where those functions are best positioned are covered in more detail in the next post in our cybersecurity series to help you find the right balance for your organization.
Learn more about CyberSecurity here.