The Cost Difference in Running a Cyber Security Function: Trained vs Untrained Staff

The importance of cybersecurity in today's digital landscape cannot be overstated. Organizations face an increasing number of sophisticated cyber threats that necessitate a robust and well-managed cybersecurity function. A critical decision in managing this function is whether to invest in training staff or to rely on untrained personnel. Let's look at the cost differences associated with these two approaches as instinctively we know that investing in well-trained staff leads to significant cost savings in the long run - even before we factor in the costs of a significant breach event.

The Importance of Trained Cybersecurity Staff

Efficiency and Effectiveness

Trained staff possess the knowledge and skills to identify, mitigate, and respond to cyber threats more efficiently and effectively. According to a study by the Ponemon Institute, organizations with well-trained security teams are 50% more effective at detecting and responding to cyber incidents compared to those with untrained staff (Ponemon Institute, 2021). So the time-to-value factor isn't the only think we're saving on in the small cyber team.

Reduced Incident Response Time

Well-trained cybersecurity personnel can significantly reduce the time it takes to detect and respond to security incidents. This reduction in response time is crucial, as the longer a threat lingers in the system, the more damage it can cause. A report by IBM Security found that the average time to identify and contain a breach was 287 days for untrained staff, compared to 208 days for trained staff (IBM Security, 2020). This reduction in response time translates to substantial cost savings in mitigating damages from events such as malware or ransomware.

Cost Analysis

Direct Costs

1. Training Expenses: The initial cost of training cybersecurity staff can be significant. However, this is a one-time investment that pays dividends over time. A comprehensive, specialist cybersecurity training program may cost an organization between $8,000 to $15,000 AUD per employee, per annum. (Global Knowledge, 2022).
2. Salary Differentials: Trained staff may command higher salaries due to their expertise. However, the increased salary costs are offset by the reduced need for external consultants and the ability to handle complex security issues in-house. Having a gaggle of consultants engaged permanently is far more expensive than a cohesive team of internal specialists. (The consultants and MSPs will, of course, disagree with me on this one!)

Indirect Costs

1. Reduced Downtime: Cyber incidents often lead to operational downtime. Trained staff can minimize this downtime through faster incident response and recovery, thereby reducing the associated revenue losses. According to a report by Cisco, companies with trained staff experience 50% less downtime than those with untrained staff (Cisco, 2021).
2. Fines and Legal Costs: Untrained staff are more likely to overlook compliance requirements, leading to regulatory fines and legal costs. A study by PwC highlighted that companies with trained cybersecurity teams faced 40% fewer compliance issues, reducing the risk of costly penalties (PwC, 2021).

Long-Term Benefits

Improved Security Posture

Investing in trained staff doesn't just improve teamwork, morale, engagement and job-satisfaction, it also improves an organization’s overall security posture. This not only helps in preventing breaches but also enhances the company’s reputation and customer trust. Organizations with a strong security posture are more likely to attract and retain clients, leading to increased revenue in the long run.

Proactive Threat Management

Trained staff are better equipped to adopt a proactive approach to cybersecurity, anticipating and mitigating potential threats before they materialize. This proactive stance significantly reduces the likelihood of a breach and its associated costs.

Conclusion

While the initial costs of training cybersecurity staff may seem substantial, the long-term benefits and cost savings are clear. While trained staff enhance many aspects of the business, helping to ensure business-goal alignment, boosting morale, engagement and teamwork, they most importantly uplift the efficiency and effectiveness of the cybersecurity function, reduce incident response times - lowering the overall cost of managing cyber threats. Government departments, enterprises and even small businesses should view training budgets as strategic investments that yield significant returns by reducing the total cost of running a cybersecurity program and mitigating potential financial losses.

References

• Ponemon Institute. (2021). Cost of Data Breach Report 2021. https://www.ibm.com/security/data-breach
• IBM Security. (2020). 2020 Cost of a Data Breach Report. https://www.ibm.com/security/data-breach
• Global Knowledge. (2022). 2022 IT Skills and Salary Report. https://www.globalknowledge.com/us-en/resources/resource-library/reports/it-skills-and-salary-report/
• Cisco. (2021). 2021 Security Outcomes Study. https://www.cisco.com/c/en/us/products/security/security-outcomes-study-2021.html
• PwC. (2021). Global State of Information Security Survey 2021. https://www.pwc.com/gx/en/services/consulting/cybersecurity-privacy.html