The True Cost of Manual Triage

In vulnerability management, it’s rare that a cyber security team can remediate every issue as it arises. There are simply too many new vulnerabilities being identified every day. And, unless you’re an enterprise with a big IT security budget, you may have decided that the only option was to prioritise the risks yourself, via manual triage.

This isn’t entirely the wrong thing to do. Your team has far better knowledge of which vulnerabilities would most greatly affect your business than any machine does. Manual triage just takes up too much time. Valuable time that should be spent on remediation itself.  

By not taking steps to find an alternative to manual triage that utilises the knowledge and insight of your cyber security team, you could see yourself facing some significant costs in the not too distant future.

Labour costs

According to research from the Ponemon Institute, 53% of companies spend more time navigating manual processes than actually responding to vulnerabilities. With fewer man hours available for remediation, three things can happen. One, you need to hire more staff. Two, your staff work longer hours and burn out. Three, your company is unprotected and becomes the latest “colonial pipeline” news story. We’ll come on to these later.

Staying with labour costs for now, say you decide to increase your team by two people to make up for the time being used up by manual triage. The average annual salary for a mid-level vulnerability management consultant in the UK is £40,000 and in the US it’s $75,000. Can your business afford that?

Recruitment costs

Aside from the salary of those you have to hire, what about the cost of recruiting and onboarding them? According to Oxford Economics and Unum, it could cost as much as £5,433 to find a new employee, and £25,182 in wages before the new worker has reached optimum productivity.

Health costs

We mentioned burnout before because it is a very common issue in the cyber security industry. Faced with what feels like an endless list of vulnerabilities to tackle with often little to no plan for assessing and rewarding hard work, security professionals can work themselves to exhaustion.  This certainly doesn’t help morale or guarantee good work and the short term effect is absenteeism. Employees that don’t turn up for work even though you’re paying them.

According to research by Acutec, UK businesses lose an average of 4.3 days a year per employee to absenteeism – that’s an average of £554 per employee. For a team of 10, that’s £5,540 just on sick days. And as your team has a crucial job of keeping your business protected, their unplanned absences could cost your business a whole lot more.

The long term effect of burnout could be very damaging too. You could lose your best employees permanently.

Why? They didn’t take the job to do admin. (Manual triage is a lot like admin, after all.) They’re passionate about security and to not be able to make a difference in their role and make their company safer is breaking them. Refer to the recruitment costs above to see what this could cost you.

Business continuity and reputation costs

The purpose of your IT security team is to protect your business against attack so if manual triage is occupying their time, driving absences or pushing them to quit, the protection won’t be there.

If a vulnerability is exploited and it disrupts business operations or causes your clients’ or customers’ data to become compromised that could have serious consequences on your reputation and future.

It’s hard to put a figure on the cost of business interruption but according to IBM, the global average cost of a data breach is a hefty $4.24 million.

The answer?

When you add up these potential costs, manual triage might not look like such a smart option after all. However, this does not mean you instead invest tens of thousands of pounds a month in a vulnerability prioritisation system like the enterprises do. Not only is the price not necessary but it takes the control away from your team. Instead, why not take a look at RankedRight – the automated triage platform that follows the rules you’ve set? It could make a very cost-effective option.