When I was still an analyst I was part of the mobile workforce, coming into the office maybe once or twice a year. The company owned laptop I was provided ran 4 different security agents, plus several other agents for various systems management functions (asset, configuration, etc) and remote access. Since the majority of the time the company had no ability to manage these mobile systems they would enforce some fairly draconian security policies, such as locking down aspects of the OS, disallowing certain protocols and applications to traverse the network VPN, as well as configuring the various scan-based security technologies to scan the system on a recurring basis (OK so maybe these are all reasonable and I felt they were draconian because I suffer from a Nietzsche “super-employee” complex and believe myself to be above the normal security policies of other employees – coincidentally I stopped using the corporate supplied laptop and switched to a Mac) .
Here is the kicker, my machine suffered from significant performance problems. Not only did it now take a good 5+ minutes to restart, it was unusable during a scan – which meant I was unable to work several hours a week, no research, no ability to view the security hamster wheels so diligently presented to me by the 500 different security companies vying for placement high and to the right, no IM’ing other analyst to make fun of the latest press release promising total compliance and complete security – nothing. I, along with many others, were essentially dead in the water.
As far as I know (and I know this is a slippery slope) the anti-malware, productivity impacting, bloatware never encountered a single instance of digital maliciousness – that doesn’t mean that there wasn’t a compromise or incident, it just means that the technology used to detect and prevent such things was irrelevant either way.
I wondered if the cost of securing the device against a security incident and the impact to annual productivity was justified against the cost of dealing with a virus outbreak or other security incident 1-2 times a month – how many of you just rolled your eyes, and put me at the top of your most hated blogger list? but seriously let’s dig into this…
The cost of desktop security for 5,000 seat environment:
FTE fully loaded employee salary = $100,000/annual
Initial end-point security license for AV/AS/PFW (assumes you sweet-talked your way down to $10-15/end-point) = $ 50,000 – 75,000/annual
Initial license for laptop encryption (assumes a cost of $10per/end-point) = $50,000
Initial license for host-based DLP or device control (assumes a cost of $18 per/end-point) = $90,000
Initial license for patch-management (assumes a cost of $10 per/end-point) = $50,000
Total initial license cost for desktop security $48/per end-point = $240,000 * and that is just the basic stuff at a pretty nice price point
Total desktop security management servers (the stuff that runs the stuff – reporting servers, consoles, databases, aggregaters, updater’s, etc) 2 servers per 2,500 devices = 16-20 servers minimum
Total cost to manage, management servers at $5,000/annual per server = $80,000 – 100,000
Total FTE costs, assumes 1 per technology = $400,000
Total cost = $740,000/annual just for desktop security. Of course folks negotiate and there are different pricing options such as perpetual vs. subscription and aggressive competitive pricing which can command up to 80% discounting for an initial deal, but this is probably pretty close to the pocket.
So a 5,000 seat environment spends around 3 quarters of a million dollars annually just for desktop security. now let’s add-in productivity loss, which although very difficult to quantify I think we can agree probably costs an organization about $250k annually (1 hour / per employee / per week – that is easily accomplished by the reboot times alone)
So a million dollars a year – give or take – to secure the desktop and this doesn’t include the network security or email gateway products one deploys. Seems reasonable right?
I wonder what the cost of an incident is?
Well, “The Computer Security Institute conducted a survey of 538 computer security practitioners in corporations, government agencies, financial institutions, medical institutions, and universities in the United States. Their results revealed that 85 percent of respondents had detected computer security breaches within a twelve-month period. The 35 percent who listed a financial impact reported $377,828,700 in financial losses. Of these, many cited their Internet connection as the point of attack for hackers.”
Now before you jump all over me let me state that I know as well as the next guy that trying to determine financial loss is about as predictable as trying to determine which politician elected to public office, on a platform of morality and decent values, will find themselves in the middle of a Spitzer, Craig, Foley, Clinton-esque sex scandal. That being said, does make you wonder doesn’t it – is security as we know it about to end up in the obituary of dead technologies?