Acquiring a security solution can be a complex process. Most organizations undergo a justification process to secure funding for the purchase. Some focus on the solution's problem-solving capabilities, suitability, and efficacy. In contrast, more mature organizations quantify risk, comparing the original risk against the cost of the solution and the residual risk after deployment to decide whether to proceed with the purchase. However, these approaches do not encompass everything a security leader should consider before making a decision. Often, the monetary cost of the solution and the resources required to administer it are just the tip of the iceberg, concealing much larger underlying costs.
In a recent [SecureWorld] event, I was part of a panel that discussed the true cost of cybersecurity along with two other security leaders in the automotive space (Mo Wehbi of Penske Automotive Group and Janette Barretto of Yazaki North America). This is not a common topic to discuss. In fact, there is not enough literature to discuss this topic which has a lot of implications on organizations as well as the career of security leaders. It all started with an earlier discussion about the massive Crowdstrike and Microsoft outage the world experienced in July 2024. This outage revealed that security solutions can become the problem and end up causing exactly what they are supposed to stop. Luckily, my organization tasked me to bring this up to IT leadership and I was well equipped to address the topic. But it struck me at that time, how can organizations balance complexity, risk, performance, and efficiency within budget boundaries when each of those factors influence each other in a complex mesh of relationships. I ended up with a visual image of an iceberg with apparent costs at the tip and hidden costs beneath the water level.
Apparent costs
At the tip of the iceberg lies the monetary representation of the total cost of the solution. These are licenses, hardware, software, infrastructure capacity and bandwidth, backup and restoration, ancillary and monitoring systems, management systems, professional and managed services, and human resources. They all come together to form the total cost of investment for the solution. Measuring some of those costs can be pretty complicated as many of them are discrete and may appear as monetary cost for some but not all solutions. For example, bandwidth consumption,
rack-space in a datacenter, etc. These only appear as additional monetary cost after reaching a capacity limit. If you are adding a server to a rack, it's basically free. But if you reached a limit and now need to install a new rack for the server, then you are looking at additional costs. Some companies consider accruing such costs, but that only answers a budget question and doesn't address the cash flow impact of the purchase.
Hidden costs
Hidden costs can be divided into three main categories: Complexity, Performance, and Friction.
Performance
Gone are the days when antivirus software was the sole security agent vying for resources. Today, the average enterprise endpoint hosts between two and five security agents, including antivirus, endpoint detection and response (EDR), encryption software, log collectors, and endpoint management software. These agents consume processor cycles, inflate memory usage, and occupy network bandwidth, thereby reducing available operating capacity.
According to Gartner, typical security controls can slow down endpoint
performance by 5% to 20%. This impact is significant and should be considered a cost of deploying security tools. For instance, a manufacturing execution system (MES) requires every available cycle to run a production plant efficiently, and a database server needs every megabyte of memory to handle application input and output effectively.
While predicting equipment slowdown from resource utilization is straightforward, measuring the implications on operational performance is challenging, leaving this implication as easiest to predict and challenging to account for.
Friction
Friction is typically defined as any unintended and undesired hindrance to a smooth user experience. It can manifest as any disturbance in the service receiver's experience. A clear example of friction is the additional step introduced by multifactor authentication (MFA) in a standard authentication process. While this step is essential for security, it does not enhance the user experience. Instead, it prolongs the authentication process, reduces user performance, and increases the time required to complete tasks on a system.
In a broader sense, friction can include extra steps in various processes, such as the uncertainty caused by additional verification steps for a supplier's banking information change request. Although all friction is undesirable, some of it is acceptable. Friction becomes problematic when it leads to an unpleasant experience, frustration, or distraction from daily work for the service receiver.
Measuring friction can be done by emulating a process with the added steps from controls and scaling up the number of reported issues in a proof of concept or a pilot to global deployment. The hardest part to predict is the human psyche reacting to an undesired change.
Complexity
In addition to friction and performance issues, cybersecurity imposes some of the most challenging administrative requirements on IT teams. This is because cybersecurity solutions often introduce significant complexity. Complexity in IT follows the law of entropy, ever increasing along with the arrow of time. Systems tend to become more complicated, even with efforts to manage their complexity.
More moving parts mean more potential points of failure. While most security solutions aim to protect the confidentiality, integrity, and availability of systems and data (known as the CIA triad), increased complexity raises the likelihood of availability loss. Complexity also adds to administrative overhead. More processes, procedures, and knowledge base documents are required, leading to additional staffing needs both within and outside the security team. Compatibility and integration limitations are another consequence of complexity. Implementing security solutions can restrict design options due to compatibility issues and increased integration requirements and maintenance.
Ironically, adding more security options can expand the attack surface. While security solutions protect the environment, they can also introduce new vulnerabilities. Even more ironically, some security solutions create compliance challenges. For example, a behavior analytics tool might pose a GDPR risk, or a decryption capability on a firewall could expose user data browsing medical insurance sites.
The best approach to measure the cost of complexity from deploying new
security controls or solutions is to adopt a risk management approach. Modeling the possibilities in an event-tree diagram provides a clearer picture of the risks introduced by implementing a control.
In conclusion, while the apparent costs of cybersecurity solutions are often the primary focus during the decision-making process, it is crucial for organizations to recognize and account for the hidden costs that lie beneath the surface. These hidden costs—encompassing complexity, performance degradation, and friction—can significantly impact the overall effectiveness and efficiency of security measures. By adopting a comprehensive risk management approach and thoroughly evaluating both the visible and hidden costs, organizations can make more informed decisions that balance security needs with operational efficiency and budget constraints. Ultimately, understanding the full spectrum of costs associated with cybersecurity solutions is essential for safeguarding not only the organization's assets but also its long-term strategic goals.
This article appeared originally here.
