The Praxis Blog - where theory meets praxis

Can cybersecurity be an efficiency tool instead of a sunk cost?

Written by Kai Roer | Feb 16, 2023 11:36:21 AM

Throughout my career in IT and information security, any investment in cybersecurity has been considered as a sunk cost. A necessary evil that organizations must invest in, if they are to be taken seriously, avoid being hacked and to ensure compliance with local and international regulations. A sunk cost is like a sunken ship - it is a direct burden on the books and it cannot be recovered. 

But what if, instead of an operational expense (OpEx) that reduces the profit margins and efficiency of your organization, cybersecurity can be a capital investment (CapEx) that goes on the books like the treasure on a sunk, Spanish galleon? You know, those ships that carried gold and treasure, that are sometimes found at the bottom of the ocean. Imagine your cybersecurity expenditures being a hidden treasure instead of a sunk cost. How would that change perspectives? 

I know. It is a long stretch. So please bear with me as I play with this idea. 

Security can be observed and worked with on many different levels and with many different perspectives. One often used perspective is the People, Process (policy) and Technology triangle. In this perspective, each of the three dimensions of the triangle are focusing on a specific part - the People focus looks at security from a people perspective, the Process focus looks at security from a process and policy perspective, and the Technology focus looks at security from a technology and technical perspective. All good, and all well known. 

Cybersecurity and information security has traditionally been focusing on the technology side of the triangle, as well as some focus on the process and policy. The People perspective has often been neglected or even deliberately avoided. There may be many different explanations for this bias, for example that technology interest drives people to cybersecurity, and compliance drives the need for policy and process audits. Whatever the reason, the result is that we as an industry are biased about what we choose to focus on in cybersecurity, and how we choose to focus. 

Still with me? This bias in our interests and areas of focus has, over many years, created a number of truths in our industry, i.e. that security is a necessary evil, a sunk cost. Alternatively (at least for some), it seems like the people focus is not needed, or even if we do focus on it, it doesn't really matter. Worse yet, some believe human factors (in their view) are a complicating factor that makes it difficult for security professionals to do their jobs. Now, we can of course dig into this flawed idea, but that is a topic for another blog. Instead, let us examine how this long term focus has created a reality where cybersecurity is reducing profit margins and increasing OpEx.  

With a lack of balance in the People, Process, Technology triangle, costs will increase, and efficiency will go down. Consider an organization where policies demand that employees use a VPN solution to connect to the network when employees are traveling. The technology chosen for the VPN requires the employees to manually connect, using usernames and passwords. Due to constraints in the setup, employees are able to get access to everything even if they do not log on, leading to a number of employees never using the VPN. In addition to the technology and the policy, there is annual training for the employees. 

There are a number of challenges here, but I will focus on the costs. Because many employees connect to the network without using VPNs, the IT and security ops get logs and alerts that they need to review and act upon. For this example, the time used by the team is 5 hours a week, alerting the employees to do the right thing and use VPN. Employees will also have to deal with these messages, so let's say they use another 5 hours per week in total. This organization thus spends 10 hours per week on one single security implementation. 40 hours a month, 480 hours a year. Not so much, you may say. I will then ask you: what similar examples do you know of, from your own experience? You can probably come up with a two-digit number of examples without even spending a minute of your time, right? 

Now we are suddenly talking about 4800 hours, every year. This is the equivalent of 2.5 (give or take) full time employees. Every year. Just because of some poorly implemented, (and ironically, unsecure) security measures. 

What happens then if we can identify those resource hogs and eliminate them? What happens if we can review the security program from a people perspective? What happens if we consider the policies and the technology implementations from the perspective of the employees who have to jump through all the security hoops just to do their jobs? What if you could shave just 5 minutes of their time each day? That is the same as 20 hours saved per employee per year. Just by identifying areas of inefficiency in your cybersecurity program and implementing better methods and tools. 

Imagine the face of the CFO if the cybersecurity spending can show a return on investment of 1% to 5%? What then, if the 1% can be shown on the overall performance of the organization? That would be something, would it not? 

The Praxis methodology was created to better security while improving business efficiency, across the board. Discover what efficiency savings you could be making in your organization and find the hidden treasures in your security program today. Click here to get started! 

Link to our efficiency savings survey: https://praxissecuritylabs.com/praxis-efficiency-report