When organizations undertake IT projects, including those related to information security, they often underestimate the effort of getting the work done. This might occur because we don’t understand the complexities of completing projects or because we underestimate the time and money needed complete tasks. We also tend to exhibit wishful thinking, fooling ourselves regarding the risks of projects going awry and the cost of mitigating such risks.
Reminder: Total Cost of Ownership
Gartner's Bill Kirwin popularized the term Total Cost of Ownership (TCO) to highlight the need to account for 2 types of costs associated with owning and managing IT infrastructure. One of the cost categories is direct costs,which are often comprised of labor and capital costs. The other category is indirect costs, which are harder to perceive; as the result, they are often underestimated.
Gartner provided the following TCO example:
"It might seem like a sensible 'direct costs' decision to reduce costs by spending less on contract negotiations, or hardware purchases or staff development and retention programs. However, if the result of such action is to deliver services with inappropriate service level agreements, or less reliable hardware that fails more often or longer waits for less effective support, the ultimate outcome might be to shift the comparatively meager savings from the direct side into comparatively significant increased costs in the indirect side."
We can learn from the concept of TCO to look for "hidden" costs in not only IT components that organizations lease, but also in the services it purchases and in the work it conducts internally.
Often-Forgotten Security Project Costs
Here are the costs that I frequently see underestimated and unaccounted for in the realm of information security. These costs might take the form of actual money being spent on products or services, and might also be less direct, such as the work effort exerted by employees that are already on payroll:
- Requirements gathering: It takes time and expertise to formulate the organization's requirements for a security solution, especially when it's comprised of multiple components. For instance, consider the complexity of an enterprise-wide vulnerability management deployment, complete with new tools and a process overhaul. Business users and technologists may need to be interviewed; specs may need to be written and—sometimes—the skills to define the requirements may need to be hired from the outside.
- Transition effort: When organizations commit to a new security product or service, they often don't account for the cost of transitioning from the current solution to the new one. Deploying a new tool or service can take a substantial effort, depending on the solution’s complexity. For instance, network architecture may need to be modified to accommodate a Web Application Firewall (WAF); an old anti-virus product will need to be carefully uninstalled across the enterprise to make use for the new endpoint security system. This can be costly.
- Project oversight: Organizations often underestimate the effort involved in overseeing the project to make sure it moves forward at the expected pace and that the proper objectives are achieved. This is a problem for internal projects—say, an SIEM deployment, as well as for the projects that the company outsources—such as security assessments. If there is no dedicated project manager or coordinator, than someone else on the team will bear that cost.
- Validation of completion: In the the excitement of thinking about the completed project, it's easy to forget about the cost of time and skills necessary to confirm that the work was performed according to spec. This effort could be as routine as checking whether a firewall change was made properly and as complex as validating whether security of the newly-outsourced environment was implemented according to the design.
- Personnel training: An organization might allocate funds to purchase or build a new security system—say an Intrusion Prevention System (IPS), yet not account for the time and effort to train its employees to get the most out of the tool. Training may need to be product-specific—e.g., how to deploy Snort, as well as account for the applicable fundamental skills—for instance, how to read network packets.
Be sure to consider both obvious and "hidden" costs when preparing to undertake a security project, be it an internal effort or a purchasing decision. Putting on the TCO hat might help in the process, because the concept acts as the reminder that some costs are hard to perceive until you experience them yourself.
If you found this post useful, you might like my take on using Return on Investment (ROI) for justifying information security expenses.