Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

What is the Real Cost of “Good Enough” Security?

If you read my pieces regularly, you might have guessed that approaching security operations and incident response in a strategic, holistic, and analytical way is something I’m passionate about. Perhaps not surprisingly, it’s a topic I often discuss during presentations, discussions, and meetings. Sometimes, I receive feedback or hear statements such as:

If you read my pieces regularly, you might have guessed that approaching security operations and incident response in a strategic, holistic, and analytical way is something I’m passionate about. Perhaps not surprisingly, it’s a topic I often discuss during presentations, discussions, and meetings. Sometimes, I receive feedback or hear statements such as:

● “I think an 80% solution will be just fine here”

● “I don’t have the time or resources to strategically assess and improve my security program”

● “I will choose the lowest cost option”

CybersecurityMany of you know that I come from a security operations and incident response background. Because of that, I understand that we don’t live in an ideal world, that all operations, and particularly security operations is hard, and that improving is almost never easy.  That being said, I still believe that taking a strategic, holistic, and analytical approach is something that can help organizations improve tremendously, even within an operational environment.  From what I’ve seen, there is still plenty that can be done in almost every organization.

The 80% Solution

Is an 80% solution acceptable?  Before we discuss that question, consider the following examples that help illustrate what 80% really means:

● Four hours and 48 minutes of unsafe drinking water each day

● Four hours and 48 minutes without electricity each day

● One out of every five cars on the road without brakes

● One out of every five planes missing routine safety inspection

● One out of every five illustrative examples not being particularly good

I could go on listing examples here for hours, but I believe you understand the point.  Perhaps you even appreciated my humor in the last bullet point.

The point of these examples is to illustrate that, although it may be difficult, when it comes to risk mitigation, we should be aiming for the right solution.  There will always be limitations and resource constraints.  But if we start out by aiming for an 80% solution, we will probably wind up with far less than that.

Let’s use business negotiations as an example. If you are in the market and want to buy something labeled with a price of $5 for $3, you don’t begin by offering $3. Perhaps you begin by offering $1 and then enter into an animated dialogue with the vendor.

Security is no different. If we have a risk that we need to mitigate, we should begin by breaking it down into goals and priorities as I’ve discussed in previous pieces. We should aim to find the right people, process, and technology to cover all of the goals and priorities and properly mitigate the risk. Of course there will be compromises, challenges, and frustrations along the way.  But that doesn’t mean we should aim for “good enough” from the beginning.  We should always aim for what’s needed.  You might be surprised at how many times that can actually be achieved when approached correctly.

No Time For Strategy

I’ve written previously about the “Too Busy For Round Wheels” phenomena. Yes, I understand from my operational career that it can be extremely difficult to find the time to come up for air and take a long, hard, and honest look at where the security program is vs. where it should be.  But, I’ve also found that sometimes organizations spend an awful lot of time on activities that are not always value-added. It’s a vicious cycle — organizations cannot figure out why they are so busy because they are too busy to examine why they are so busy.

Although it can be difficult, there is a definite need to come up for air.  In the near-term, yes, it will pull some resources away from day-to-day work.  But in the long-term, if done correctly, taking a strategic, holistic, and analytical approach to security will make far better use of those same resources and will allow organizations to improve their security postures far more quickly and efficiently than they would be able to do otherwise.

Think Total Cost

When people say “I am going with the lowest cost option”, what I often hear is “I am going with the lowest upfront cost option”.  When organizations think about the cost of a solution, they should be thinking about the total cost.  As you might expect this is more complex than merely the upfront cost plus yearly maintenance costs.

As I and many others have written about or discussed previously, technology by itself is not a solution. Solutions require the right mix of people, process, and technology.  No one of those three elements can by itself produce a solution to a given problem. Further, total cost can be a bit tricky to calculate and sometimes a bit deceptive. What do I mean by that?  Let’s take a look.

The total cost of a given solution will include some obvious and very tangible costs, such as:

● Real estate (rack space)

● Human resources to operate and maintain the solution

● Human resources to use the solution

● Power

● The cost of the technology piece to the solution

● Human resources to develop and follow the process piece of the solution

● Training

This is not an exhaustive list, but it is enough to give the reader an idea of what a tangible cost is.  But what about the less tangible or intangible costs?  What do I mean by that?  Here are a few examples:

● Additional people, process, and technology required by the introduction of additional complexity into the environment

● Additional human resources required to sift through noise produced by a poorly performing or ill fitting solution

● Additional operations and maintenance cost associated with a solution that requires more attention than was expected or budgeted

● Missed incidents, such as long dwelling intrusions, and the financial costs that follow as a result, caused by inadequate detection capabilities or too low of a signal-to-noise ratio

● Additional solutions required to meet other operational needs that are not being met by a non-optimal solution

As you can see, looking at upfront cost alone can be quite deceptive.  Calculating total cost of ownership (TCO) can be complex, but it is an exercise that brings tremendous benefits to the organizations that calculate it correctly.  Only through a true understanding of TCO can the solution that is right for the organization be chosen.

Obviously every organization will have its limitations and resource constraints.  But that doesn’t mean the organization should aim solely for good enough.  Instead, an organization should always aim for what fits its strategic goals and priorities and what will improve its security posture most efficiently and effectively.  Do I think that this is easy to do?  Absolutely not.  But that doesn’t mean we shouldn’t try.  The real cost of “good enough” is simply too high to be worth the risk.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.