Why is security so expensive?

It was a challenging customer audit. The customer wanted us to have a specific piece of security technology. My attempts to explain how the alternative measures we had in place met the same requirements were falling on deaf ears. When pressed, I answered something like: "This tech in our setup has a poor return on investment, it's just too expensive."

"Security is expensive, sir", the auditor answered, in what I felt was a biblical tone.

IT directors echo the same mantra, albeit in a negative manner. You hear the term "security tax" soon in your career. Security accounts for about 13% of IT expenses in the financial and high-tech sectors.

I’ll always remember my lean agile classes. Security was “an activity without plus value but necessary”. Talk about selling people on security!

Here's the conundrum: it's hard to prove any security measure works. You cannot run a controlled experiment in such an unpredictable setting! If you get breached, every CEO will ask: "Why am I paying for security?" and if you don't get breached: "Why do I pay so much to begin with?"

This week, we will uncover why security spending gets this reputation of being expensive. I will cover:

  • the legitimate reasons why it's priced so high;
  • the fallacious motives of such pricing;
  • and solutions to make information security's value visible outside of the context of cyber attacks.

And the best of all? This post is free!



Good reasons why security is costly

Exponential scope

I don't need to toss you a bunch of statistics about technology growth. Two years ago generative AI happened in research facilities. Now every app in the world needs AI to survive. Since it's a race, you can be sure security has not been carefully woven into all these apps.

Security tools and specialists will catch up like they always do. But it's another layer to secure. Cloud computing and containers are great. But it's another attack surface. And the old legacy stuff doesn't go away. Most businesses that were around in the 80s still have mainframe computers!

Security needs to be everywhere. More tech, more security. Both the tools and the people, which brings us to...

Talent scarcity

I explained why becoming an information security specialist isn't easy. There is just a lot to know! Combine the breadth of knowledge with the exponential system sprawling, and the breakneck speed at which technology evolves... Since the skills are hard to acquire, supply and demand dictate a high price for labour. Economics.

When I did my computer science degree, security wasn't part of the sexy choices. Video games, mobile apps, AI, and big data were coveted. It's a tough sell considering this is the one field in computer sciences with the highest rate of burnout (in fact, security jobs are one of the top rates of burnout, period). This stress can be explained by...

Accountability

Project management apps make teams more productive. Video conferencing apps connect people. Security infrastructure protects your whole business from cybercriminals and malicious governments. There is a lot at stake. This accountability does have a cost. CISOs are pretty much a mess of burnout and alcoholism. Plus, let's face it, if a security breach happens, it is the security people that get fired.


Bad practices that overprice security need to go away

Paywalling security

Ever heard of the "Single Sign-On (SSO) Tax"? Companies use single sign-on technology to replace password authentication. Think of the "Sign in with Google" apps. In a world where password attacks remain the most common pathway to cyberattacks, SSO brings huge benefits. So SaaS providers paywall it. Hard. 400%+ base price hard. This is absurd. Sellers fail to protect their own users with the most useful security measure out there, which is also cheaper to implement and maintain than password authentication!

Microsoft does it too. The Cybersecurity and Infrastructure Security Agency (CISA) threw Microsoft under the bus over its logging retention offer after a China-affiliated attack group accessed US government Outlook accounts.

Security should be baked in, not a premium.

The checkmark

Let's come back to my auditor story. At a certain point, every company will paint in itself into a corner. They will promise to buy a piece of technology, write this into a norm, and things snowball until everybody forgets why this technology is mandatory. There's a significant amount of security spending on "compliance theatre", also known as "paying for the checkmark".


The problem is not the cost, it's the perception of value

Let me tell you something you already know: people will pay any price for an item if they perceive the value of it. The auditor didn't understand why we wouldn't spend hundreds of thousands of dollars on a redundant security tool because he was convinced that security was valuable in itself. IT directors tout the "security tax" because they value tangible business functionality.

So, how do we convince the IT directors about security's value? This is where fear-based marketing usually takes over. We've got pretty good data about the cost of a data breach and the methods of cybercriminals. Nobody would want to be accountable for irreparable damages to individuals, after all.

If you're a regular ppfosec reader, you know where I'm getting at! I believe fear to be a short-sighted solution. It's useful if you are selling security software. It's a trap if you want to secure a company. In Selling InfoSec Differently, I argue for an "optimistic" vision of security.

The indirect value of security transcends breaches. This is what my buzzword-filled agile classes got all wrong about security : it’s plus value is everywhere and nowhere at once. Investments in security lead to the following positive externalities:

  • integrity - you are doing things right;
  • visibility - asset identification and classification make everyone's job easier;
  • standardization - you can only automate what has been standardized;
  • trust - security and quality go hand in hand;
  • efficiency - we hunt down inactive accounts and unused software, and push for deprecations and regular updates.

This is why, in a sense, "security" as a standalone discipline should not exist. We are simply the guardians of the engineering fundamentals. Maybe software moves too fast, and we need this oversight to keep technology in check.

One thing's for sure: we didn't need that security tool the auditor was pushing on us.