This is the second blog post in a series of excerpts from the ebook (download here) “Know Your Cyber Security ROI: Making the Business Case for Cyber Security.” The first post introduced the concept of cybersecurity implicit ROI and the factors that determine the expected value of your cybersecurity operations. It also outlined the three attack phases and the correlation between attack phase and organizational cost.
This post examines the first attack phase and the costs associated with precautionary measures during this phase:
Organizations employ many precautions and actions in the attempt to block cyber attacks. Such measures can require significant time and resources to implement as well as maintain. This class of tools includes endpoint security solutions such as anti-virus, protection and detection systems as well as gateway solutions.
Every enterprise includes software patching as part of its security system to some extent. Because of its widespread use and marked impact on business processes, we will examine patching as an example of direct and indirect costs to your organization.
Patching: An Infinite Process
The complexity and often time-critical nature of even predictable patching places a significant burden on IT operations. It consigns your IT team to a reactive state, forcing them to continually play catch-up whether or not a vulnerability is actually exploited. Many organizations consider cybersecurity patching resource-intensive and ineffective, yet perform it on some level both for regulatory reasons and to avoid extended risk.
- Patching consists of the following steps:
- Obtaining the patch from a trusted party and validating patch and source integrity
- Testing the patch to ensure the vulnerability is remediated and the patch will not break other applications – a lengthy and laborious process
- Notifying affected parties of unscheduled downtime if needed
- Patch deployment
- Post-deployment operational efficiency testing
- Rollback and remediation if needed
The Costs of Patching
To calculate how much patching costs your organization per year, use the following formula:
Total Annual Patching Cost = [(Cost of Patching Event) * (Number of Patching Events)] + [(Prepare and Detect Costs) * (Number of Reported Vulnerabilities)] + (Total Annual Ongoing Costs)
If you want to get to a more precise figure, take the real costs into account:
Cost of Patching Event = (Fully Burdened Hourly Rate) * (Hourly Effort)
Total Annual Ongoing Costs should include the cost of your Patch Management tools, contained in the above formula as “preparation and detection costs.” Using such tools, the hourly effort of endpoint patching is estimated at around eight hours per system per year, a total that includes assessment, assembly and testing, deployment, failure resolution and helpdesk.
Numbers may vary, but with a total of 10 yearly patches on average, the costs can reach several million dollars for a sizeable organization. And 10 yearly patches is a vast underestimation.
Patching comes with a low ROI given its costliness and minimal effectiveness.
Want it all at once, all in one place? Download the full e-book now!