Articles

The Hidden Costs of Chasing Cybersecurity Alerts

Written by Michael K. Hamilton | Sep 27, 2023 5:47:17 PM

We’ve all heard the usual reported costs of cybersecurity, from the cost of technology to the cost of a breach.

But what usually goes unreported is the related costs to an organization of having to chase alerts day in and day out. Those costs take a human toll and a business toll and can be measured in lost time, lost employees, and lost money.  

Lost Time

It’s hard to perform all the tasks required to keep information security on track. I say this with some authority, because my team manages all that for Critical Insight. Along with regulatory requirements that involve routine examination of firewall rules, management of access authorization, vulnerability management, policy review, risk assessment, and awareness training for users – there are the constant-yet-interrupt-driven requirements of managing all the messaging and alerting that emanate from security products, including investigation, confirmation, response and recovery. And because you’re a mid-market business, you’re less able to compete for actual security resources – big tech has them all but locked up.  In your shop, IT does security and IT, and neither is being done well.

I’ve written before about how this is affecting business financially – when IT does security, it can be fairly categorized as “unplanned work,” which is regarded as double the cost of planned work. You can also quantify the cost of HR churn… but looking at the issue from the other side, what would life be like if your IT team wasn’t spending 20-40 hours per week on security alerts and compliance tasks? Where would you be in your digital transformation journey right now?

Our own customers have reported to us that our service has elevated the quality of life of IT staff and returned 5% of their time to project work instead of being led around by the security events that cannot go unaddressed. How this translates to improved outcomes on IT projects is under study, however it’s not unfair to point out that contract project management and consulting resources are in stasis while IT is otherwise occupied with security, and that’s a directly quantifiable cost.

Combining that cost with the certain opportunity cost of delayed IT projects means that an organization could be significantly overpaying for security and underperforming in terms of results.

Lost Employees

Those IT people slipping behind on their projects and doing all that unplanned work don’t like it. The under-recognized symptom you realize is when your desk phone lights up and it's HR calling again. Another IT resource is burned out from chasing security alerts and slipping on key performance projects, and it’s time to mount another hiring process.

No one appreciates the distraction and cost of HR churn, especially in IT, and especially in a region where there is high competition for IT resources – especially those with experience in security. This is what you experience directly – it’s far less about networks melting from ransomware, and far more skewed toward people problems.

We’ve all seen the statistics on the shortfall of security practitioners, and I won’t bore you by repeating them here, but suffice it to say that the actual problem in need of solution is not a technology problem, it’s a people problem.

Lost Money

If we were awash in security professionals, so much so that their value on the market was $45,000/year, we would not be struggling with security, slipping on IT projects, and spending far too much on recruiting, salary, and retention for IT staff that has security thrust upon them as part of their body of work. Good security professionals are expensive to find and hire. Think about how much you spend on the recruiting, onboarding, and training process. Earlier, I wrote about lost time. That time costs money when projects don’t get done. It’s the business reality, unfortunately.

Stop Losing Time, Employees, and Money

Because these costs are tangible, there is an audience for the argument to cede IT security to a firm that can supply both the ongoing 24/7/365 monitoring, detection, and response as well as contract strategy, policy, compliance, and technical security testing resources. In general, that audience is someone with a fiduciary responsibility in an organization – one that understands the value of risk reduction, balanced by the cost of not only the resources to perform those bodies of work but also the under-represented cost of HR churn.

Make your IT staff happier, get key projects back on track, and spend less to get better security outcomes. Critical Insight is now a one-stop shop for managed and professional services that will allow you to wash your hands of the security and compliance problems that have been the bane of your existence and get back to your own organizational mission.