Bromium Logo_flat.png
Source: Bromium

New Research Reveals Hidden Costs: Enterprises Spend Over $16M Annually to Support Detection-Based Security

Labor costs soar because of detection-based failures, making TCO far greater than expected

CUPERTINO, Calif., Feb. 06, 2018 (GLOBE NEWSWIRE) -- Bromium®, Inc., the pioneer and leader in application isolation using virtualization-based security, today announced the findings of an independent global survey uncovering the surging hidden costs of reactive, detection-based security intended to protect the organization. The initial, upfront licencing and deployment investment in security-detection tools like anti-virus is dwarfed by the cost of human skills and effort to manage and assess the millions of alerts and false-positive threat intelligence generated. The research, based on a survey of 500 CISOs from global enterprises, is part of a wider report: The Hidden Costs of Detect-to-Protect.

Key findings include:

  • The average annual cost to maintain detect-to-protect endpoint security is $16,714,186, per enterprise
  • Organizations invest $345,300 per year1 on detect-to-protect security tools, but this cost is minimal compared to the hidden human costs
  • Labor costs are soaring as a direct result of detection-based technology failures:
    • SOC teams receive over 1M alerts every year, but 75 percent are false positives
    • SOC teams spend 413,920 hours per year triaging alerts, an additional 2,448 hours rebuilding compromised machines, and 780 hours on emergency patching
  • All-together, that’s 417,148 hours per year; resulting in an annual labor cost of $16,368,8862, per enterprise                  

“Detection requires a patient zero – someone must get owned and then protection begins. Yet, because of this, rebuilds are unavoidable; false positives balloon; triage becomes more complex and emergency patching is increasingly disruptive,” said Gregory Webb, CEO, Bromium. “It’s no surprise that 63 percent of the CISOs we surveyed said they’re worried about alert fatigue. Our customers tell us their SOC teams are drowning in alerts, many of which are false positives, and they are spending millions to address them.

“Meanwhile, advanced malware is still getting through because cyber criminals are focusing on the weak spots like email attachments, phishing links and downloads. This is why organizations must consider the total cost of ownership when making security investments, rather than just following the detect-to-fail crowd.”

The research shows that organizations are investing in multiple security layers to defend against hackers, including: Advanced Threat Detection (annual spend $159,220); next-generation and traditional anti-virus (annual spend $44,200); whitelisting and blacklisting ($29,540 annual spend), and detonation environments ($112,340 annual spend). However, these technologies are dependent on detection first, and therefore are fundamentally flawed and only stop the known. 

Organizations expect the associated upfront costs for a security stack, however, as the research shows, the total cost of ownership is much higher than expected. During evaluations CISOs need to be asking questions that uncover the hidden costs, such as:

  • Where are most of the attacks happening?
  • Are advanced threats getting through current defenses?
  • Is employee productivity negatively impacted by current security measures?
  • How many alerts are being generated? Of those, how many are false positives?
  • Is it likely that machines will still get compromised and need to be rebuilt?

“Application isolation provides the last line of defense in the new security stack and is the only way to tame the spiralling labor costs that result from detection-based solutions,” Webb concludes. “Application isolation allows malware to fully execute, because the application is hardware isolated, so the threat has nowhere to go and nothing to steal. This eliminates reimaging and rebuilds, as machines do not get owned. It also significantly reduces false positives, as SOC teams are only alerted to real threats. Emergency patching is not needed, as the applications are already protected in an isolated container. Triage time is drastically reduced because SOC teams can analyze the full kill chain.”

For more information about Bromium and to view the infographic and report, please click here.

The research was conducted by researchers at Vanson Bourne. The sample consisted of 500 CISOs from large enterprises sized from 1,000 to 5,000+ employees, across the USA (200), UK (200) and Germany (100).

About Bromium, Inc.

Bromium protects your brand, data and people using virtualization-based security. We convert an enterprise’s largest liability - endpoints and servers - into its best defense. By combining our patented hardware-enforced containerization to deliver application isolation and control, with a distributed Sensor Network to protect across all major threat vectors and attack types, we stop malware in its tracks. Unlike traditional security technologies, Bromium automatically isolates threats and adapts to new attacks using behavioral analysis and instantly shares threat intelligence to eliminate the impact of malware. Bromium offers defense-grade security and counts a rapidly growing set of Fortune 500 companies and government agencies as customers.

Visit Bromium:
Read the Bromium blog:
Follow Bromium on Twitter:
Follow Bromium on LinkedIn:


United Kingdom
Spark Communications
+020 7436 0420

United States
Mullikin Communications

1 $345,300 cost is based on average 2,000-person organization
2 Workforce costs calculated based on average hourly rate of $39.24 for cybersecurity professional