Search
Close this search box.

Economics Of Shift Left Security

Economics Of Shift Left Security

Economics Of Shift Left SecurityWhy is that? Well “Shift Left Security” is new-ish, but more importantly it is hard. It is like consistently eating vegetables in the face of other sugary temptations. Security vendors all say shifting left enables faster delivery and lower costs, but in my opinion, never meaningfully quantify it. In this analysis, I am going to attempt to arm practitioners with data on “Shift Left Security” that every executive and controller of budget will understand — business economics. This fits into an important broader theme of the need to frame security about driving business results — growing your TAM, accelerating sales cycles, shipping product faster — not just acting as a risk reduction exercise.

Model 1 — MFA Implemented Across The Organization

Starting simple. If you are thinking “every organization has MFA enabled everywhere”, you need a reality check. Nevertheless, MFA as a single control deployed across an organization is a great intuitive example. MFA is considered shifting left because it prevents many risky credential behaviors from ever being possible in the first place. This model compares a hypothetical organization with MFA deployed everywhere properly, versus one that only uses 1FA.

  • SOC Personnel Costs (Login Alerts Per User Per Day Related To 1FA Only) * (Organization Size) * (Average Annual SOC Analyst Cost) / (Alerts Triaged Per Analyst Per Day)
  • SOC Software Costs = (Login Alerts Per User Per Day Related To 1FA Only) * (Organization Size) * (Per Alert Software Cost To Aid In Investigation) * (365 Days)
  • Dollar Loss Of Productivity = (Average Number Of MFAs Per Day Per User) * (Organization Size) * (Time To MFA In Seconds) / (1 Minute / 60 Seconds) / (1 Hour / 60 Minutes) / (1 Day / 24 Hours) * (Average Annual Employee Cost)
  • Expected Value Of Breach Cost = (Average Cost Of Data Breach) * (Likelihood Of Data Breach)
  • Organization Size: 10000 Employees (Users)
  • Time To MFA (Google Auth Or Equivalent): 10 Seconds [1]