Many people who start in cybersecurity think that adding a solution would fix the problem. That is not always true. For example, you are the CTO of an organisation, and the CEO comes and ask you how vulnerable we are to a cyber attack? You reply that we need an additional 1.5 million a year to add an IDS to detect attacks. The CEO replies, ok. Now, what happens to you as a CTO? You get the funds you deploy an IDS of 1.5 million per year, but this is where things don’t add up the number of attacks you got last year is equal to the number of attacks you face this year. 

Many C-level execs and people starting in security think that adding a solution always fixes the problem. Well, it doesn’t work that way in cybersecurity.

In cybersecurity, you also need to have a person check on these solutions to check the logs. Let’s take the previous example where you get an IDS.

An IDS is an intruder detection system. It is a passive device, not a reactive device that actively stops attacks from happening.

This is what practically happens, an exec gets an IDS and no one to check the alerts. Further, many companies will have one person handling the IT infrastructure to see the alerts now initially; if the ruleset of the IDS is not tuned correctly, the number of alerts generated would be insane. 

Now let us give the IT guy the upper hand lets say the organisation infrastructure is not changing that often he would be able to tune it down, but again what happens this tuning down takes from week to month to do depending on the kind of infrastructure the organisation also has this is assuming your infrastructure is not changing that often.

Now practically speaking, it is not practical for one person who is already managing the infrastructure to deal with alerts of an IDS. The organisation needs to either outsource or get an in-house employee to analyse and act on the logs. 

That is where things change from the Total cost of ownership. The organisation also needs to shell out more funds for hiring the employee, assuming this is an employee who knows how to analyse and react to alerts and can see the big picture.

If the organisation hires a fresher, then time and money go into training the new hire and understanding the environment. Now let us say this fresher salary is 30k a month (New hire), which leads to a 3.3 LPA salary which does not include in the cost of the budget plus training time and time for the new hire to understand the environment. Also, this is assuming that the infrastructure is not too big plus depending on how many logs are generated the organisation also need to store the logs for a minimum of one year and this is not including for regulation purpose. This is from a security point of view. On average, a determined attacker will be in your network for over a span of 9 months, for which you need logs to analyse what is happening. Also, note that this is an average, which means the time an attacker can be in a network can be for a period of more than nine months.

This includes more cost of storing logs. Oh, and this is just the storage of logs. What about securing the way the logs are stored since an attacker can go and tamper with the logs later or go and destroy them.