Top security challenges and how to overcome them: Budgetary constraints + demonstrating ROI

Welcome to this blog series which highlights the top security challenges organizations are facing and discusses how to overcome them. In this series of five articles, each will target a specific challenge while providing guidance on how to find the method(s) that work for you while meeting your organization’s unique needs to rise above each of the challenges.

Given each organization’s differing needs, requirements, budgetary constraints and regional location, consider the guidance provided here to be less prescriptive (i.e., you need to do this), instead, look at it as listing out the potential options available – alongside their respective strengths and weaknesses – allowing organizations and the administrative teams that support them to develop the security strategy that works best for them while still addressing the threats, attacks and concerns of the modern threat landscape that most impact their business operations, processes, users and of course, data.

In the previous blog, we discussed the challenges organizations face when it comes to preparing for and addressing cybersecurity threats from outside the organization.

In this final entry, we focus on how budgetary constraints can limit cyber security protections of critical business data and the difficulty IT faces in properly capturing return on investment (ROI) data pertaining to security-based expenditures in various categories, such as:

• Vendor consolidation
• Automation
• Business plan promo
• Device and app lifecycle

Before we delve in, let’s set the stage for what we’re about to discuss by explaining a bit about both budgetary constraints and a simple take on how ROI is measured before explaining how applying these traditional metrics to cybersecurity spending often yields incorrect assessments for both.

Budgeting 101

Security can be costly. This is perhaps one of the greatest understatements in any industry. Why do we say that? It’s both simple math and difficult-to-predict calculations based on real-world, upfront costs (former) and trying to foretell the extent of the damage to an organization should they fall victim to an attack.

In other words, it’s one part math, one part soothsayer to a degree.

One dollar = one dollar

This section concerns itself exclusively with the math portion. Here, the cost of security controls, such as MDM licenses to be able to manage devices, endpoint security software to fend off malware and securely connecting user devices to company resources with cloud-based identity credentials is a straightforward process.

By performing simple arithmetic, we add one license each of Jamf Pro + Jamf Protect + Jamf Connect to determine the cost upfront cost of protecting one device with Trusted Access. From here, you merely multiply the cost of the licenses by the number of devices your organization wishes to manage and you have your total. See? We said it was simple.

One dollar ≠ one dollar

Here’s where budgeting becomes less clear. Because more goes into determining an organization’s overall security spend, other types of security controls may be required to meet the unique needs of your organization. As a matter of fact, the recommended way to truly determine the levels of risk that your organization’s infrastructure is faced with is to perform a risk assessment of each piece of critical equipment, data, and device.

In doing so, you will not only identify the types of risk facing your organization but also understand the severity of each risk type, as well as determine the criticality of the affected resource. Ultimately, these elements paint the picture of risk as it affects the organization, allowing them to determine which controls are needed to best strengthen their security posture in accordance with their risk appetite.

ROI 101

Security can be costly. We repeat this here for added emphasis because accurately determining an organization’s ROI requires more than being able to identify a specific number or target percentage that serves as dividends, or is “paid back” in return for procuring a specific security control or service.

Truth be told, there are several ways in which an organization may meet or exceed its ROI without ever truly quantifying the budget spent on security protections through traditional ROI models because, simply put, security isn’t really viewed through that lens until an incident occurs. It is only then that some organizations realize the true value in their spending to mitigate cyber security threats, like those that lead to data breaches, as a security return on investment.

How much does a security breach cost?

According to IBM’s Cost of a data breach 2022 report, the global average cost of a data breach is $4.35 million. For organizations based in the U.S., that number more than doubles to $9.44 million. Oh, and if your organization happens to be in the healthcare industry, that number grows to $10.10 million.

Are there other factors that can add to the cost?

In a word: Yes.

These factors are viewed as exceptions and not the rule, meaning organizations should view these more like variables that could affect them (but may not). Because of this, these potentialities are not factored into the costs above in IBM’s report. Despite this fact, the variables have the potential to cause the costs of attacks and data breaches to balloon. Some examples of these are:

• Regulatory compliance violations: Organizations may be subject to fines, including civil and/or criminal liability if found to be in violation of regulatory governance due to a failure to secure protected data.
• Leaking of proprietary data/IP: Any data leaked can create additional risk factors for an organization. Leaking of proprietary data or IP can compound costs in several ways that impact business operations, like affecting revenue streams.
• Loss of business reputation: The fallout that stems from the loss of reputation in the eyes of the public can also have a negative impact on organizational revenue. In certain cases, the combined losses have been so staggering that the business is unable to recover.

Security return on investment

While organizations would do well to reframe how they view security budgets and calculate ROI on their spending, there are some things that can be done to ensure that each dollar spent is efficiently put to best use. Below we’ve highlighted some of the more common categories where streamlining meets efficacy to build a stronger security posture.

Vendor consolidation

Some solutions make a big splash over the term “a single pane of glass”. Though in theory being able to access all of your tooling from a central location seems beneficial, it comes with a caveat that doesn’t often reveal itself until after your organization has migrated – not all features, operating systems or devices may be fully supported.

Consolidating vendors and security solutions certainly has a place in reducing budgetary concerns while providing IT and Security teams a streamlined means of performing management and security-related tasks. But if the trade-off to simplifying management means that some security protections will be delayed in being supported or may never be fully supported, well, the time saved on the device management side will result in increased risk on the security side – and that result in a costly trade-off long term.

Put another way, device management and security are best viewed as two halves of the whole. In order to holistically protect endpoints, management workflows must be able to allow administrators to effectively manage their devices, including up-to-date patch management and applying configuration profiles to harden surfaces to name a few critical processes in the lifecycle.

Similarly, ensuring devices are managed according to industry best practices is great, but without visibility into device health status and being able to determine when endpoints have fallen out of compliance, then the workflows designed to remediate incidents won’t know how to enforce compliance, leaving an attack vector open to exploit.

It is critical for organizations to realize that no true “silver bullet” solution exists, hence why partnerships are critical to the success of your security strategy. But if having too many partners is financially untenable, having too few may open the organization to risk due to lack of support.

The solution? Partner with best-of-breed solutions for the platform you need to fully support. For Apple devices, Jamf is purpose-built to provide full support of macOS, iOS, iPadOS and tvOS devices and features – all with same-day support – providing organizations the peace of mind that devices are completely protected, but that said protections can be deployed on your time-table, not anyone else’s.

Automation

The “grail” of administrators everywhere! Automation exemplifies the crux of my long-held mantra to “work smarter – not harder.” The belief, when put into action properly, allows admins to not only do more with less but, as I like to look at it, spend less while receiving more. And who doesn’t like the concept of getting more for less?

Let me explain. IT and Security usually operate as separate teams with their respective responsibilities, however, they can and do work together to keep resources safe from threats. Consider the scenario of an organization that has adopted the BYOD model with a dozen users utilizing their personally owned devices for work. The users are part of a distributed workforce working remotely. As part of the IT/Security team, it’s one of your roles to ensure that each device is patched and that users manually enable legacy VPN each time they connect over untrusted wireless networks.

Though twelve devices don’t appear to pose significant difficulty to manage, the disparate distances between you, the admin, and each of the users you support globally make the task overwhelmingly challenging to maintain manually. So challenging that it borders on impossible, as there’s no scientifically possible way for you to monitor each user personally at the same time.

However, adopting MDM and Zero Trust Network Access (ZTNA) solutions will allow them to perform the heavy lifting as it pertains to monitoring device health in real-time while integrating both solutions enables automated workflows that execute policies to remedy compliance issues when triggered. In this example, the admin can easily deploy software updates in bulk to keep devices up-to-date. While replacing legacy VPN with modern ZTNA technology enables policy-based management to enforce secured network connections every time a user requests to access business resources by automatically routing protected resources through an encrypted micro-tunnel – even if the user forgets to enable it manually.

The time saved by the administrator permits them to turn the focus toward other, more critical issues that may be better served by their direct attention, thereby spending less (effort) but receiving more (time).

Device and app lifecycle

Another critical aspect that ties directly to the organizational budget is the device and app lifecycles. Particularly, how the deployment of new devices works hand-in-glove with the ongoing management of endpoints and the apps utilized by users to remain productive has a direct impact on the device and overall security posture of an organization.

In the example above, the lone administrator is tasked with keeping devices patched while ensuring that requests to access protected business resources occur only over secure remote connections. Let’s take a moment to rewind this back a bit and say that the organization has decided to standardize using Mac as their preferred platform. They have procured MacBook Pro laptops and had them shipped to each user’s home. In prior times, IT would’ve needed to have received the laptops first to configure them, then ship them out to each remote user or simply traveled to each location to manually and physically configure each device.

But that is far too costly, isn’t it? Indeed it is – both in money and time. The far better, far more efficient and secure method of provisioning devices is zero-touch deployment. Utilizing Apple as a solid foundation, organizations can take advantage of Apple Business Manager (ABM) or Apple School Manager (ASM) for educational institutions to set the initial configurations for each device, ensuring a smooth, secure handoff to the MDM for enrollment. From there, the MDM performs the configuration of the Mac, including installing software and configuring security settings, as well as provisioning cloud-based credentials so that the device is ready for the end-user within minutes of them powering it on.

A summary of the zero-touch device deployment process is as follows:

1. Open the box
2. Power on the device
3. There is no step 3

With device provisioning being fully automated and deployment performed by the end-user themselves, MacAdmins’ time is freed to manage apps and updates, right? Wrong…these can and should be automated as well to keep your hands free and your users happy.

Leveraging the tie-in with ABM/ASM and your MDM solution, procurement and deployment of applications is made simple, thanks to its direct connection to the Apple App Stores. Managed apps, or those that are deployed by the organization are easy to configure and even easier to install on devices enrolled in your MDM. Since these apps are centrally hosted by Apple, as new versions as released, they are already queued for update across your device fleet – no further action is required by administrators.

Jamf users have an ace up their sleeve, in that our App Installers provide the same functionality as first-party apps, except extend this feature to third-party applications to streamline deploying these packages, sourced from the vendors themselves and managed by Jamf.

While first- and third-party app deployment and updates can be automated, the Jamf Self Service catalog offers additional flexibility to empower end-users to take greater autonomy when it comes to managing their devices. With Self Service, Jamf administrators can pre-authorize apps, packages, settings and configurations for all stakeholders, allowing them to obtain the software they need, exactly when they need it. No help desk tickets and IT requests for approval are necessary – just download what you need from a safe, secure and customized repository and proceed without worrying about the security of the files or the integrity of the installer packages.

Cutting down on help desk requests + streamlining the deployment of both hardware and software + empowering end-users to remain productive from anywhere, at any time and over any connection = IT/Security teams that are free to focus on providing better service and greater security without the burden of having to manually touch or be physically present when performing common tasks.

“Si Vis Pacem, Para Bellum”

The phrase, translated from Latin means, “If you want peace, prepare for war”. Has been adapted throughout history but was originally written in the fourth or fifth century AD by Publius Flavius Vegetius Renatu in his tract De Re Militari.

It conveys the insight that in order for peace to be preserved, there are often necessary conditions that ensure it remains. In this context, as it applies to cybersecurity, the ability to defend your devices, users and data from threat actors is the required condition.

Despite the difficulty in quantifying ROI through traditional models, it is perhaps better framed through the lens of other necessities that provide preventive care though we may hardly if ever really utilize it.

As an example of this, I’d like to draw your attention to insurance policies. It is not only important but in most cases a legal requirement to obtain insurance to protect homes, cars and even our health. We pay premiums, often monthly, in exchange for the possibility that if something occurs to any of the named insured, the insurance company will step in and cover a percentage of the financial loss incurred through misfortune. Some go through entire lifetimes paying for car insurance without ever once needing to file a claim. And while there are those that may deem this an unnecessary expense, there are those of us who – especially having been through the scary and unfortunate scenario of a car accident – are certainly grateful that the insurance coverage we’ve been paying for will ease the burden during a decidedly difficult time.

The same applies to security controls implemented to protect resources. They’re not budgeted, procured and configured to realize some financial gain or specific ROI target – it’s done so to mitigate risk, or at least minimize the fallout from this risk. Cybersecurity often doesn’t provide these metrics in ways that business operations can clearly denote. On the surface, they may only see that their security spending accounts for X dollars and the ROI accounts for Y, which is reducing revenue by X amount.

But what about when a security incident occurs?

This is the great equalizer. Not that anyone should ever want to become a victim of a security breach or even an attempted attack, but it does put the security budget into perspective much like the insurance premium example above did.

If your organization spends X on security controls and the ROI accounts for Y, the revenue is reduced by X amount in traditional models. However, IT and Security teams are able to gain insight into device health and can generate reports from telemetry data that detail which devices are protected and when, as well as when attacks have occurred and what they attempted to gain access to – both what was compromised and prevented.

With this information in hand, organizations have the data necessary to determine how many attacks were attempted and effectively stopped. Combined with a current risk assessment, a clear understanding of how many attacks were stopped, translating into revenue that was saved from being used to:

• recover from data breaches
• remediate endpoints that were compromised
• contract emergency IT/Security team support
• pay for regulatory fines
• cover legal costs related to civil/criminal liability
• provide services for victims of leaked PII
• procure cybersecurity controls to mitigate current/future attacks

Armed with this information, organizations can now calculate ROI more accurately, by being able to account for existing and additional risks related to the organization’s security posture and added costs related to each threat that was protected against. When considering the numbers at the top of this document from IBM’s cost of a data breach report, the ROI may seem inconsequential when compared to the average $9.44 million cost per breach. Furthermore, when factoring the average cost plus any other additional liability costs stemming from a breach – including loss of reputation – well, it really puts concerns over security budgeting into perspective. Dare I say, giving cyber security its rightful seat at the business table, wouldn’t you agree?