All insights

Beyond Recovery: Money Talks

Greg van der Gaast Greg van der Gaast
Independent Security Strategist

August 28, 2024

Beyond recovery money talks

In Part 2b: Beyond Recovery: Exploring the Problem, I took a deeper look into the core issue we need to address regarding security, highlighting the often overlooked but essential factors contributing to concerning security trends.

Imagine I approach my CFO with a $1M budget ask for a recovery solution. The argument is that, despite our best efforts and existing security spend, it’s impossible to prevent breaches and we therefore need to minimise the damage when we do eventually, inevitably, get hit.

Whether voiced out loud or not, my CFO is likely to have some questions. A damning one might be wondering what exactly we’re doing with the, say, $5M already allocated to security annually if we still need a recovery solution.

It might just cause scepticism in our ability to do our jobs of keeping the organisation secure and what we’ve been doing with the existing investment, which is never a good thing.

Assessing the Odds of a Security Breach

They then might ask what the odds are of getting hit that badly that this would make a material difference. You might give a ballpark answer of 10% for any given year.

Would you really be surprised then, with a 10% chance of something happening (that they might think you should already have prevented), and no guarantee that this new spend would work any better, that the CFO thinks investing that money into marketing instead would have more concrete returns for the business?

I’m not. With my business hat on, it’s what I’d do - and no amount of security fearmongering and outrage would change that, for better or worse.

Now imagine I asked them for the same $1M for the same solution but telling them the goal was to be able to reduce the cost of any given incident scenario by reducing the downtime associated with each.

That means I need less resource risk-managing the issues that could lead up to them, freeing it up to fix process issues upstream which will reduce how much risk the business is introducing and carrying year on year.

That in turn means I can reduce how much resource I need to operationally manage risks because I’m carrying fewer and fewer of them. If that amount is a cumulative $500K less spending each year because we’ve fixed the root causes leading to the issues that spend was mitigating, then I’ve reduced my annual security spending from the current $5M to $4.5M, then $4M, then $3.5Mper year.

That means rather than talking about intangible risk, I’m now asking for a $1M investment that will create a total savings of $3M ($0.5M + $1M +$1.5M) over the next three years. It’s a no-brainer. I haven’t even mentioned the risk reduction, which will actually be greater than in the first scenario because we’ll have reduced what can go wrong. That means there’s less likelihood of an incident, and it will likely be more limited when it does happen.

So, by using the recovery as a safety net to prioritise more proactive work I’ve changed the argument from one where we might have our bottom-line figure reduced due to a breach, to one where we will increase it by driving organisational efficiencies.

Applying Financial Logic to Other Solutions

The same kind of financial logic can be used with other security solutions, too. For example, an investment in a vulnerability scanning platform could be presented as a mechanism by which, instead of finding and remediating the CVEs it points out to us, we can ask ourselves what’s causing them. And then chase down the causes that keep introducing vulnerabilities (or, in the case of missing patches, our inability to automatically deploy them) so that the number of issues that need intervention decreases over time.

Instead of just “fixing” individual vulnerabilities, we’d look at each as a string to pull on to find what is causing us to accumulate these vulnerabilities. That is the start of that downward curve of incidents over time which we saw in our aviation example in a previous installment.

The difference in the case of recovery, is that it’s what gives us the safety net which can be leaned on to free resource from firefighting so that it can be allocated towards these proactive efforts. That’s critical because our inability to do so currently is, in my experience, the single biggest obstacle to us overcoming the current death spiral in security.

This is what makes recovery capabilities such a massive enabler and accelerator of change to our organisation’s susceptibility to attack while improving our bottom line in the process. And that’s before we start counting on it to save us should things go badly. There are some really interesting financial models that can be built around this to get supports from the business that go well beyond just talking about risk.

Naturally, the more effective, more guaranteed and more reliable your recovery solution is, the more you can reduce the impacts of adverse effects, and the more resource you can reallocate to reducing risk and increasing the bottom line long-term. It’s an enormous strategic force multiplier.

In fact, let’s step things up a bit. So far, we’ve been talking about reducing security (firefighting) effort and costs through a more strategic approach around root causes, but there’s a lot more in terms of outcomes when you’re pursuing a quality-management approach versus a risk-management one.

Addressing the Root Cause

Previously we discussed how virtually all security issues are quality issues. What we didn’t mention is that not all quality issues are security issues (for example, bad code might just be slow or unstable but not otherwise exploitable). But they often have the same root causes.

Allow me to share a specific example. Imagine your security team was overwhelmed trying to stay on top of thousands of vulnerabilities being introduced into the environment every year, most of which are the results of poor practices in your engineering department.

You address the root cause of the problem by making the case to have developers trained, better screened, adopt better practices/processes, etc. The result is a significant reduction in the number of vulnerabilities produced which already creates an ROI in terms of the reduced security OpEx.

I faced this situation once and it was a great success. But that’s not all that happened. By addressing the quality issues that were causing vulnerabilities in code and computing instances, the applications also got more stable, faster and easier to retrofit with customer feature requests (which became more profitable).

Fixing issues took less time and resources, people throughout the organisation using internal systems became more productive, and site reliability engineers who were burning out due to the difficulty keeping the platforms up stopped leaving (saving a fortune in recruitment and avoiding some big shortages that had real business impacts).

Finally, customers had a better experience using the (SaaS) product which improved retention/renewal rates, and even employee morale increased.

Then there was the big one. Cloud compute costs dropped by 30%, an amount large enough to pay for the entire security function.

There are some videos which you can look up about the reintroduction of wolves to Montana’s Yellowstone National Park. While the original intention was to control the elk population, their presence changed everything from the species present, the types of vegetation, even the course of rivers, massively restoring the balance of the ecosystem in a way no one could have predicted. Security as a quality function achieves something remarkably similar but can only be achieved if you can free up the resource to do so. And the better your safety net, the more progress (rather than firefighting) can be achieved.

And it just so happens that Hitachi Vantara has the fastest recovery solution in the world.

Read Our Solution Brief: The World’s Fastest Ransomware Recovery

From Immutable Snapshots.

All of these positive impacts will have a business value. I encourage every security professional to do two things. Firstly, start thinking beyond just managing risk. Think about how we can reduce costs by addressing the IT and business issues causing our issues. Second, start thinking about what other benefits our root-cause/quality-focused approach could drive to the business. Each and every one will have a possible financial model that shows value to the business and helps us garner support to elevate our position to drive our programmes forward.

Join us for our next installment where we look at how our storage and recovery capabilities can help us move some of our toughest obstacles: Legacy systems and technical debt.

Read Part 2a: Beyond Recovery: Exploring the Problem

Additional Resources


Greg van der Gaast

Greg van der Gaast

Greg van der Gaast started his career as a teenage hacker and undercover FBI and DoD operative but has progressed to be one of the most strategic and business-oriented voices in the industry with thought-provoking ideas often at odds with the status quo.
He is a frequent public speaker on security strategy, the author of Rethinking Security and What We Call Security, a former CISO, and currently Managing Director of Sequoia Consulting which helps organizations fix business problems so that they have fewer security ones.