Making the Financial Case for Outsourcing Endpoint ProtectionA Guide to Calculating Endpoint Risk and Operational Savings
Making the Financial Case for Outsourcing Endpoint Protection
Table of Contents
02 Executive Summary
03 Calculation Inputs
04 Financial Risk
05 Probability of One or More Incidents (12-Month Period)
06 Probability of the Incident Resulting in Data Disclosure
06 Probability of an Incident Resulting in Data Disclosure, Per Number of Locations
07 Impact
08 Incurred Yearly Risk
08 Global Average
09 Finance Industry
09 Insurance Industry
10 Healthcare Industry
10 Legal Industry
11 Manufacturing Industry
11 Retail Industry
12 Technology Industry
13 Operational Savings
13 Cost of Inefficiencies: False Positives
14 Cost of Inefficiencies: True Positives
14 Personnel, Tools and Maintenance
15 Putting It All Together
16 Sample Calculation
18 Conclusion
18 References
Making the Financial Case for Outsourcing Endpoint Protection
03
Reaching $18.4 billion by 2024, the endpoint security market will continue to expand at a compound annual growth rate (CAGR) of 7.6 percent.1 This growth is in parallel to the proliferation of endpoints across mobile, bring your own device (BYOD), remote workers and virtual instances. Though endpoint security currently constitutes 24 percent of overall security spend 2, threats continue to outpace the capability of in-house cybersecurity functions to cost effectively mitigate risk.
In the latest Ponemon State of Endpoint Risk Study, 64 percent of survey respondents indicated their organizations suffered a data asset and/or IT infrastructure compromise in 2018; this number reflected an increase over the previous year (54 percent).3
Of those breached, 57 percent reported significant disruption to business operations with the loss of more than 1,000 records containing sensitive or confidential information.4
While endpoint risk is undeniable and investment is justified, making the business case for why outsourcing endpoint protection delivers positive returns by improving operational efficiency and minimizing risk is difficult without contextual quantification.
In this guide, we show how to calculate savings in the context of your organization’s risk, while accounting for size and industry. After reading, you will be armed with the information needed to demonstrate to your leadership and budget authorities the value of outsourcing endpoint protection.
Executive Summary
Making the Financial Case for Outsourcing Endpoint Protection
04
Calculation Inputs In the following sections we examine the inputs of our justification calculation: • Financial risk
- Probability of one or more incidents
- Probability of the incident resulting in data disclosure
- Financial risk of data disclosure (incident conversion to disclosure)
- Financial risk per incident
- Industry breakout and details • Operational savings
- Alerts, triage and investigation costs
- False positives
- True positives
- Security Operations Center (SOC) Team/Security Team Operational Costs
Making the Financial Case for Outsourcing Endpoint Protection
05
Financial RiskProbability of One or More Incidents (12-Month Period)
To calculate risk, you must assess the probability of an endpoint incident occurring. Unfortunately, that probability is dependent upon a multitude of factors which require statistically significant data reflective of your unique situation.
The most accurate way to inform predictions about risk in the messiness of the real world is to study risk in the real world. Using observational data from our SOCs, eSentire calculated the mean probability that an organization had at least one incident involving a bypass of existing endpoint security controls, in a 12-month period, with industry and the number of locations being protected serving as parameters (Table 1).
Number of Locations
Industry
Global Average
Finance Healthcare Insurance Legal Manufacturing Retail Technology
1 23% 20% 34% 23% 34% 38% 60% 27%
2 40% 37% 57% 41% 57% 61% 84% 46%
3 54% 50% 71% 55% 72% 76% 94% 61%
4 64% 60% 81% 65% 82% 85% 97% 71%
5 72% 68% 88% 73% 88% 90% 99% 79%
6 79% 75% 92% 80% 92% 94% 99% 85%
7 84% 80% 95% 84% 95% 96% 99% 89%
8 87% 84% 96% 88% 97% 98% 99% 92%
9 90% 87% 98% 91% 98% 99% 99% 94%
10 92% 90% 98% 93% 99% 99% 99% 96%
TABLE 1: PROBABILITY OF ONE OR MORE INCIDENTS BY INDUSTRY AND NUMBER OF LOCATIONS
Making the Financial Case for Outsourcing Endpoint Protection
06
Probability of the Incident Resulting in Data Disclosure
One clear observation is that the more sites an organization has, the higher the risk—this conclusion follows logically: the more sites, the larger the threat surface, and the more opportunities for attackers. However, to calculate financial risk, we must know the conversion rates of an incident resulting in data disclosure. Verizon’s 2019 Data Breach Investigations Report showed that organizations which experienced an incident converted to data disclosure at an average rate of 29.6 percent.5
However, industry averages varied widely from 22.3 percent to 65.2 percent (Table 2). The disparity in conversion rates is likely due to the nature and value of the data protected and the level of security investment.
Industry
Global Average
Finance Healthcare Insurance Legal Manufacturing Retail Technology
29.6% 22.3% 22.3% 65.2% 23.4% 24.7% 59.4% 23.4%
TABLE 2: PROBABILITY OF AN INCIDENT CONVERTING INTO A FULL DATA BREACH EVENT BY INDUSTRY
Probability of an Incident Resulting in Data Disclosure, Per Number of Locations
Thus far we have the probability of experiencing one or more security incidents in a 12-month period (Table 1) and the probability of a security incident being a data breach (Table 2). To arrive at the probability of one or more data disclosure events in that 12-month period we must apply the following formula: P(D) = P(I) P(B) If, over a period of 12 months, we let P(I) denote the probability of experiencing one or more security incidents and P(B) denote the probability of a security incident being a data breach, then P(D) describes the probability of one or more data disclosure events during security incidents over a 12-month period. Table 3 can be used as a useful recent historical shorthand reference for probability of an organization having incurred breach-level costs on at least one incident, without a security monitoring program in place.
Making the Financial Case for Outsourcing Endpoint Protection
07
Impact
To determine risk we need the financial impact per record lost when a data breach occurs. In the 2019 Ponemon Cost of a Data Breach study, organizations reported on average the following cost per record lost.6
Number of Locations
Industry
Global Average
Finance Healthcare Insurance Legal Manufacturing Retail Technology
1 6.8% 4.5% 22.2% 5.1% 8.0% 9.4% 35.6% 6.3%
2 11.8% 8.3% 37.2% 9.1% 13.3% 15.1% 49.9% 10.8%
3 16.0% 11.2% 46.3% 12.3% 16.8% 18.8% 55.8% 14.3%
4 18.9% 13.4% 52.8% 14.5% 19.2% 21.0% 57.6% 16.6%
5 21.3% 15.2% 57.4% 16.3% 20.6% 22.2% 58.8% 18.5%
6 23.4% 16.7% 60.0% 17.8% 21.5% 23.2% 58.8% 19.9%
7 24.9% 17.8% 61.9% 18.7% 22.2% 23.7% 58.8% 20.8%
8 25.8% 18.7% 62.6% 19.6% 22.7% 24.2% 58.8% 21.5%
9 26.6% 19.4% 63.9% 20.3% 22.9% 24.5% 58.8% 22.0%
10 27.2% 20.1% 63.9% 20.7% 23.2% 24.5% 58.8% 22.5%
TABLE 3: PROBABILITY OF ONE OR MORE DATA BREACH INCIDENTS BY INDUSTRY AND NUMBER OF LOCATIONS
Global Average
Finance and Insurance
Healthcare Legal Manufacturing Retail Technology
$150 $210 $429 $178 $160 $119 $183
TABLE 4: FINANCIAL IMPACT PER RECORD LOST BY INDUSTRY
Making the Financial Case for Outsourcing Endpoint Protection
08
Incurred Yearly Risk
Having information for both impact cost of a breach and probability of at least one breach occurring we can then assess incurred yearly risk through the standard formula: Risk = Probability X Impact Probability: The probability of a data breach, taken from table 3 Impact: The cost of a breach, taken from table 4 and applied to the expected scope of records lost The following tables represent yearly incurred risk relevant to each industry. Studies for average records lost per data breach correlative to number of locations are not available, so organizations calculating their risk must estimate the quantity of records they are likely to lose in the event of a data breach.
*Note: The values below are incurred yearly risk based on a minimum of one incident per year. Studies have shown organizations that have one incident are likely to have additional incidents. If you believe your organization will have more than one incident, your incurred yearly risk will increase in relation to projected records lost.
Number of Locations
Records Lost
Incident and
Conversion Probability
1,000 5,000 10,000 25,000 50,000 100,000
1 6.8% $10,212 $51,060 $102,120 $255,300 $510,600 $1,021,200
2 11.8% $17,760 $88,800 $177,600 $444,000 $888,000 $1,776,000
3 16.0% $23,976 $119,880 $239,760 $599,400 $1,198,800 $2,397,600
4 18.9% $28,416 $142,080 $284,160 $710,400 $1,420,800 $2,841,600
5 21.3% $31,968 $159,840 $319,680 $799,200 $1,598,400 $3,196,800
6 23.4% $35,076 $175,380 $350,760 $876,900 $1,753,800 $3,507,600
7 24.9% $37,296 $186,480 $372,960 $932,400 $1,864,800 $3,729,600
8 25.8% $38,628 $193,140 $386,280 $965,700 $1,931,400 $3,862,800
9 26.6% $39,960 $199,800 $399,600 $999,000 $1,998,000 $3,996,000
10 27.2% $40,848 $204,240 $408,480 $1,021,200 $2,042,400 $4,084,800
TABLE 5: GLOBAL AVERAGE
Making the Financial Case for Outsourcing Endpoint Protection
09
TABLE 6: FINANCE INDUSTRY
TABLE 7: INSURANCE INDUSTRY
Number of Locations
Records Lost
Incident and
Conversion Probability
1,000 5,000 10,000 25,000 50,000 100,000
1 4.50% $9,450 $47,250 $94,500 $236,250 $472,500 $945,000
2 8.30% $17,430 $87,150 $174,300 $435,750 $871,500 $1,743,000
3 11.20% $23,520 $117,600 $235,200 $588,000 $1,176,000 $2,352,000
4 13.40% $28,140 $140,700 $281,400 $703,500 $1,407,000 $2,814,000
5 15.20% $31,920 $159,600 $319,200 $798,000 $1,596,000 $3,192,000
6 16.70% $35,070 $175,350 $350,700 $876,750 $1,753,500 $3,507,000
7 17.80% $37,380 $186,900 $373,800 $934,500 $1,869,000 $3,738,000
8 18.70% $39,270 $196,350 $392,700 $981,750 $1,963,500 $3,927,000
9 19.40% $40,740 $203,700 $407,400 $1,018,500 $2,037,000 $4,074,000
10 20.10% $42,210 $211,050 $422,100 $1,055,250 $2,110,500 $4,221,000
Number of Locations
Records Lost
Incident and
Conversion Probability
1,000 5,000 10,000 25,000 50,000 100,000
1 5.10% $9,078 $45,390 $90,780 $226,950 $453,900 $907,800
2 9.10% $16,198 $80,990 $161,980 $404,950 $809,900 $1,619,800
3 12.30% $21,894 $109,470 $218,940 $547,350 $1,094,700 $2,189,400
4 14.50% $25,810 $129,050 $258,100 $645,250 $1,290,500 $2,581,000
5 16.30% $29,014 $145,070 $290,140 $725,350 $1,450,700 $2,901,400
6 17.80% $31,684 $158,420 $316,840 $792,100 $1,584,200 $3,168,400
7 18.70% $33,286 $166,430 $332,860 $832,150 $1,664,300 $3,328,600
8 19.60% $34,888 $174,440 $348,880 $872,200 $1,744,400 $3,488,800
9 20.30% $36,134 $180,670 $361,340 $903,350 $1,806,700 $3,613,400
10 20.70% $36,846 $184,230 $368,460 $921,150 $1,842,300 $3,684,600
Making the Financial Case for Outsourcing Endpoint Protection
10
TABLE 8: HEALTHCARE INDUSTRY
TABLE 9: LEGAL INDUSTRY
Number of Locations
Records Lost
Incident and
Conversion Probability
1,000 5,000 10,000 25,000 50,000 100,000
1 22.20% $95,238 $476,190 $952,380 $2,380,950 $4,761,900 $9,523,800
2 37.20% $159,588 $797,940 $1,595,880 $3,989,700 $7,979,400 $15,958,800
3 46.30% $198,627 $993,135 $1,986,270 $4,965,675 $9,931,350 $19,862,700
4 52.80% $226,512 $1,132,560 $2,265,120 $5,662,800 $11,325,600 $22,651,200
5 57.40% $246,246 $1,231,230 $2,462,460 $6,156,150 $12,312,300 $24,624,600
6 60.00% $257,400 $1,287,000 $2,574,000 $6,435,000 $12,870,000 $25,740,000
7 61.90% $265,551 $1,327,755 $2,655,510 $6,638,775 $13,277,550 $26,555,100
8 62.60% $268,554 $1,342,770 $2,685,540 $6,713,850 $13,427,700 $26,855,400
9 63.90% $274,131 $1,370,655 $2,741,310 $6,853,275 $13,706,550 $27,413,100
10 63.90% $274,131 $1,370,655 $2,741,310 $6,853,275 $13,706,550 $27,413,100
Number of Locations
Records Lost
Incident and
Conversion Probability
1,000 5,000 10,000 25,000 50,000 100,000
1 8.00% $14,240 $71,200 $142,400 $356,000 $712,000 $1,424,000
2 13.30% $23,674 $118,370 $236,740 $591,850 $1,183,700 $2,367,400
3 16.80% $29,904 $149,520 $299,040 $747,600 $1,495,200 $2,990,400
4 19.20% $34,176 $170,880 $341,760 $854,400 $1,708,800 $3,417,600
5 20.60% $36,668 $183,340 $366,680 $916,700 $1,833,400 $3,666,800
6 21.50% $38,270 $191,350 $382,700 $956,750 $1,913,500 $3,827,000
7 22.20% $39,516 $197,580 $395,160 $987,900 $1,975,800 $3,951,600
8 22.70% $40,406 $202,030 $404,060 $1,010,150 $2,020,300 $4,040,600
9 22.90% $40,762 $203,810 $407,620 $1,019,050 $2,038,100 $4,076,200
10 23.20% $41,296 $206,480 $412,960 $1,032,400 $2,064,800 $4,129,600
Making the Financial Case for Outsourcing Endpoint Protection
11
TABLE 10: MANUFACTURING INDUSTRY
TABLE 11: RETAIL INDUSTRY
Number of Locations
Records Lost
Incident and
Conversion Probability
1,000 5,000 10,000 25,000 50,000 100,000
1 9.40% $15,040 $75,200 $150,400 $376,000 $752,000 $1,504,000
2 15.10% $24,160 $120,800 $241,600 $604,000 $1,208,000 $2,416,000
3 18.80% $30,080 $150,400 $300,800 $752,000 $1,504,000 $3,008,000
4 21.00% $33,600 $168,000 $336,000 $840,000 $1,680,000 $3,360,000
5 22.20% $35,520 $177,600 $355,200 $888,000 $1,776,000 $3,552,000
6 23.20% $37,120 $185,600 $371,200 $928,000 $1,856,000 $3,712,000
7 23.70% $37,920 $189,600 $379,200 $948,000 $1,896,000 $3,792,000
8 24.20% $38,720 $193,600 $387,200 $968,000 $1,936,000 $3,872,000
9 24.50% $39,200 $196,000 $392,000 $980,000 $1,960,000 $3,920,000
10 24.50% $39,200 $196,000 $392,000 $980,000 $1,960,000 $3,920,000
Number of Locations
Records Lost
Incident and
Conversion Probability
1,000 5,000 10,000 25,000 50,000 100,000
1 35.60% $42,364 $211,820 $423,640 $1,059,100 $2,118,200 $4,236,400
2 49.90% $59,381 $296,905 $593,810 $1,484,525 $2,969,050 $5,938,100
3 55.80% $66,402 $332,010 $664,020 $1,660,050 $3,320,100 $6,640,200
4 57.60% $68,544 $342,720 $685,440 $1,713,600 $3,427,200 $6,854,400
5 58.80% $69,972 $349,860 $699,720 $1,749,300 $3,498,600 $6,997,200
6 58.80% $69,972 $349,860 $699,720 $1,749,300 $3,498,600 $6,997,200
7 58.80% $69,972 $349,860 $699,720 $1,749,300 $3,498,600 $6,997,200
8 58.80% $69,972 $349,860 $699,720 $1,749,300 $3,498,600 $6,997,200
9 58.80% $69,972 $349,860 $699,720 $1,749,300 $3,498,600 $6,997,200
10 58.80% $69,972 $349,860 $699,720 $1,749,300 $3,498,600 $6,997,200
Making the Financial Case for Outsourcing Endpoint Protection
12
TABLE 12: TECHNOLOGY INDUSTRY
Number of Locations
Records Lost
Incident and
Conversion Probability
1,000 5,000 10,000 25,000 50,000 100,000
1 6.30% $11,529 $57,645 $115,290 $288,225 $576,450 $1,152,900
2 10.80% $19,764 $98,820 $197,640 $494,100 $988,200 $1,976,400
3 14.30% $26,169 $130,845 $261,690 $654,225 $1,308,450 $2,616,900
4 16.60% $30,378 $151,890 $303,780 $759,450 $1,518,900 $3,037,800
5 18.50% $33,855 $169,275 $338,550 $846,375 $1,692,750 $3,385,500
6 19.90% $36,417 $182,085 $364,170 $910,425 $1,820,850 $3,641,700
7 20.80% $38,064 $190,320 $380,640 $951,600 $1,903,200 $3,806,400
8 21.50% $39,345 $196,725 $393,450 $983,625 $1,967,250 $3,934,500
9 22.00% $40,260 $201,300 $402,600 $1,006,500 $2,013,000 $4,026,000
10 22.50% $41,175 $205,875 $411,750 $1,029,375 $2,058,750 $4,117,500
Making the Financial Case for Outsourcing Endpoint Protection
13
Operational SavingsCost of Inefficiencies: False Positives
Outsourcing endpoint protection can deliver substantial cost savings for organizations, even accounting for the fact that the magnitude of savings will vary somewhat based upon your each organization’s existing cybersecurity capabilities and operational setup. In the most recent Ponemon State of Endpoint Risk study, organizations reported that 55 percent of alerts from endpoint technologies were false positives. While these alerts are benign, they come with a cost: operational expenses are incurred as a result of personnel time spent investigating and confirming the absence of malicious presence. Outsourcing endpoint protection can substantially reduce or nearly eliminate the number of false positives requiring an organization’s attention—and the associated costs. The operational savings which result can be calculated as the product of the number of false positives an organization estimates each endpoint produces in a 12-month timeframe and the cost associated with each interruption. The formula below assumes an average false-positive incident takes two minutes to inspect and disregard at a personnel expense of $53 per hour. Formula: ((Average False Positives Per Year Per Endpoint X Minutes Per False Positive)/(60 Minutes) X Hourly Cost Per Analyst) X Number of Endpoints *Note: It is important to remember that most organizations will ignore some alerts due to resource limitations. Typically alerts which are not deemed high risk are ignored or thresholds are tuned to minimize the number of alerts. The table below does not account for these variables.
Number of Endpoints
Number of False Positives Per Endpoint Per Year
1 5 10 15 20 25 30
100 $177 $883 $1,767 $2,650 $3,533 $4,417 $5,300
250 $442 $2,208 $4,417 $6,625 $8,833 $11,042 $13,250
500 $883 $4,417 $8,833 $13,250 $17,667 $22,083 $26,500
750 $1,325 $6,625 $13,250 $19,875 $26,500 $33,125 $39,750
1,000 $1,767 $8,833 $17,667 $26,500 $35,333 $44,167 $53,000
2,500 $4,417 $22,083 $44,167 $66,250 $88,333 $110,417 $132,500
5,000 $8,833 $44,167 $88,333 $132,500 $176,667 $220,833 $265,000
7,500 $13,250 $66,250 $132,500 $198,750 $265,000 $331,250 $397,500
10,000 $17,667 $88,333 $176,667 $265,000 $353,333 $441,667 $530,000
TABLE 13: OPERATIONAL COST SAVINGS FROM AN ESTIMATED NUMBER OF FALSE POSITIVES ELIMINATED PER ENDPOINT
Making the Financial Case for Outsourcing Endpoint Protection
14
Cost of Inefficiencies: True Positives
While false positives are relatively predictable in terms of the time investment needed to analyze and disregard, true positives are dependent upon the nature of the threat and the time required to detect and contain. The realized operational cost savings of outsourcing detection and response are also dependent upon the number of incidents an organization will incur during a 12-month timeframe. Using the $53 per hour analyst rate, the following formula estimates operational cost savings for true positives: Formula: (Hours spent per incident X Cost per hour for analysts)
Personnel, Tools and Maintenance
The last component to our operational savings calculation covers personnel, tools and maintenance dedicated to endpoint protection. The previous two sections already accounted for analyst time consumed by false positives and true positives, so we can omit analysts from this section. However, supporting personnel must be accounted for, as well as the investigative tools employed. While it is clear that managers, engineers and administrators are unlikely to be solely dedicated to endpoint protection, a portion of their time is nevertheless applied to endpoint security. Therefore, savings can be determined by estimating the costs of personnel and the percentages of their time consumed by this pursuit (Table 15)—while acknowledging that doing so requires some subjectivity and numbers will vary by organization.
TABLE 14: EXAMPLE EXPECTED TIME COST TO RESOLVE AN INCIDENT
TABLE 15
120 (2 Hours) 360 (6 Hours) 720 (12 Hours) 1,440 (24 Hours) 4,320 (3 Days) 10,080 (7 Days) 43,200 (30 Days)
$106 $318 $636 $1,272 $3,816 $8,904 $38,160
Total cost of operations tools per analyst $25,000
Cost per Security Operations Manager $124,433
Cost per Intelligence Analyst $95,875
Cost per Intelligence Manager $167,297
Cost per Network Security Engineer $116,360
Cost per Network Security Administrator $95,418
Making the Financial Case for Outsourcing Endpoint Protection
15
Putting It All TogetherIn the previous sections, we outlined two components to justifying outsourcing of endpoint protection: incurred yearly risk and operational savings. In an effort to clarify the process, the following table outlines the inputs, formulas and step by step process to calculate values applicable to your unique environment.
Category Inputs Formulas
Yearly incurred risk • Table 3
• Table 4
• Estimated number of records you would expect to lose if a breach occurred
Formula: Table 3 corresponding valueX(Table 4 corresponding value X estimated records expected to lose in a breach)
* Table 5 provides example yearly incurred risk for varying intervals between 1,000 and 100,000 records.
False positives • Number of endpoints
• Average number of false positives per endpoint over 12-month period
• Hourly cost per analyst
• Timeframe to dismiss false positives
Formula: ((Average false positives per year per endpointXMinutes per false positive)/(60 Minutes)XHourly cost per analyst)XNumber of endpoints
* Table 13 provides example costs for varying intervals between 1 and 30 false positives.
True positives • Hours spent per incident
• Hourly cost per analyst
Formula per incident:(Hours spent per incidentXCost per hour for analysts)
All incidents must be added together
* Table 14 provides example costs for incidents varying in timeframe between 2 hours and 30 days.
Supporting personnel, maintenance and labor
• Cost of operations tools
• Cost per Security Operations Manager
• Cost per Intelligence Analyst
• Cost per Intelligence Manager
• Cost per Security Engineer
• Cost per Security Administrator
• Maintenance cost (labor)
• Maintenance cost (hardware)
Formula:Addition of all tools and correspond full-time employees (FTEs) or portions of FTEs dedicated to endpoint security
Total yearly risk and operational costs Summary of above calculations
TABLE 16
Making the Financial Case for Outsourcing Endpoint Protection
16
Sample CalculationTo help you with creating your own calculations, Table 17 includes an example scenario that should serve as guidance in the creation of your own justifications. Profile: • Industry: Legal • Locations: 3 • Endpoints: 500 • False positives per year: 5 • True positives per year: 2 • Personnel:
- 4 Analysts - 1 Security Operations Manager - 1 Intelligence Analyst - 1 Security Engineer
- 1 Security Administrator
Category Inputs Formulas Calculations
Yearly incurred risk
• Table 3
• Table 4
• Estimated number of records you would expect to lose if a breach occurred
Formula: Table 3 corresponding valueX(Table 4 corresponding value X estimated records expected to lose in a breach)
* Table 5 provides example yearly incurred risk for varying intervals between 1,000 and 100,000 records.
Table 3 value = 16.8%X(Table 4 value = $178)X(10,000 records estimated to be lost if a breach occurs)=$299,040
False positives • Number of endpoints
• Average number of false positives per endpoint over 12-month period
• Hourly cost per analyst
• Timeframe to dismiss false positives
Formula: ((Average false positives per year per endpointXMinutes per false positive)/(60 minutes)XHourly cost per analyst)XNumber of endpoints
* Table 13 provides example costs for varying intervals between 1 and 30 false positives.
((5 false positives per endpointsX2 minutes per false positive)/(60 minutes)X$53/hour per analyst)X500 endpoints=$4,417
TABLE 17
Making the Financial Case for Outsourcing Endpoint Protection
17
Sample Calculation Continued
Category Inputs Formulas Calculations
True positives • Hours spent per incident
• Hourly cost per analyst
Formula per incident:(Hours spent per incidentXCost per hour for analysts)
All incidents must be added together
* Table 14 provides example costs for incidents varying in timeframe between 2 hours and 30 days.
2 Incidents Incident 1:72 hoursX $53/hour= $3,816
Incident 2:168 HoursX $53/hour= $8,904 = Incident 1 + Incident 2$12,720
Supporting personnel,
maintenance and labor
• Cost of operations tools
• Cost per Security Operations Manager
• Cost per Intelligence Analyst
• Cost per Intelligence Manager
• Cost per Security Engineer
• Cost per Security Administrator
• Maintenance cost (labor)
• Maintenance cost (hardware)
Formula:Addition of all tools and correspond FTEs or portions of FTEs dedicated to endpoint security
Operational Tools$25,000+Security Operations Manager Time (15% spent on endpoint)($124,433 X 15%)$18,664+Intelligence Analyst Time (15% spent on endpoint)($95,875 X 15%)$14,381+Security Engineer Time (15% spent on endpoint)($116,360 X 15%)$17,454+Security Administrator Time (15% spent on endpoint)($95,418 X 15%)$14,312=Total: $75,430
Total yearly risk and operational costs $391,607
Making the Financial Case for Outsourcing Endpoint Protection
18
ConclusionAs security leaders and practitioners have come to realize, making the case for outsourcing endpoint protection is a challenge. Broad endpoint studies continue to cite overinflated risks and costs that are difficult to interpret and seem too general to inform investment decisions which consider a particular organization’s unique attributes. These studies leave leaders and practitioners with unrealistic numbers which are hard to defend and explain. Budget authorities demand justification before authorizing expenditures. Using the formulas and guidance in this document, you can make a quantifiable business case to justify outsourcing endpoint protection while creating a more resilient and efficient endpoint security posture.
References[1] See Endpoint Security Market worth $18.4 billion by 2024
[2] Available at: https://www.absolute.com/media/1935/2019-endpoint-security-trends-report.pdf
[3] Ponemon: 2018 State of Endpoint Security Risk Study
[4] Available at: https://enterprise.verizon.com/resources/reports/dbir/
[5] Available at: https://www.ibm.com/security/data-breach
[6] Available at: https://www.knowbe4.com/hubfs/2018ThreatImpactandEndpointProtectionReport.pdf
eSentire, Inc., the global leader in Managed Detection and Response (MDR), keeps organizations safe from constantly evolving cyberattacks
that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC), staffed by elite security analysts, hunts, investigates and
responds in real-time to known and unknown threats before they become business disrupting events. Protecting more than $6 trillion AUM,
eSentire absorbs the complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with growing regulatory
requirements. For more information, visit www.esentire.com and follow @eSentire.
About eSentire: