CIOs are coming to terms with the realization that even their most robust cybersecurity functions are not effectively addressing unsecured external data privacy. The social engineering attack surface represents a dire vulnerability. The majority of data breaches today are accomplished by threat actors scraping unsecured external data from myriad available online sources to mount effective attacks on hardened information systems. All contemporary cybersecurity solutions are ineffective at preventing attacks along this vector.
As the role of unsecured external data in mounting social engineering attacks comes into focus, CIOs are faced with a difficult choice. Whether to develop in-house processes and practices to curtail the threat (build), or to outsource external data privacy management to the budding array of data privacy solution providers (buy). This document will examine the current costs allocated to data privacy as part of cybersecurity efforts. Then, it examines projected costs of standing up an internal program of people, process and technology to address the seemingly insurmountable volume of unsecured external data being used to devastating effect by threat actors in perpetrating data breaches. Following these examinations, the paper makes a compelling argument for outsourcing external data privacy management to a third-party solution provide like Privacy Bee for Business.
Current Costs of Data Privacy in Cybersecurity
Everyone knows that data security is something any serious cybersecurity program needs to address. Leaving aside for the moment the fact that most data security practices focus almost entirely on internal data security and fail to address the staggering problem of external data privacy, it is easy to conclude that data security practices are already very well-represented in most standard cybersecurity efforts. Most erroneously conclude that rising investment in cybersecurity – often a response to growth of data breaches – involves correlated increase in data privacy. A recent Ponemon Institute survey reveals almost 60% of U.S.-based companies increased their cybersecurity budgets this year over 2023 levels. However, damaging data breaches continue unabated on a daily basis.
Larry Ponemon, chairman and founder of the Ponemon Institute says, IT “professionals and senior leadership are becoming more cognizant of the importance in strengthening their security posture, resulting in the increase of cybersecurity budgets and allocating funds based on proven effectiveness in reducing security incidents.” The fact that data security as a segment of cybersecurity is allocated the least funding may be a reflection of the ineffectiveness of current data privacy practices. There is evidence to support this conclusion.
Well regarded analyst group, Forrester produces an annual cybersecurity benchmark report. Forrester’s 2024 Cybersecurity Benchmarks, Global report reveals that data security is, on average, 11.9% of the cybersecurity budget for organizations – from small to the largest. As the graphic below illustrates, this is the least significant portion of the overall dollar amount allocated to protecting information security and the risk of data breaches. The other facets of cybersecurity like Identity Access Management, System Defense, Incident Response, Security Analytics and GRC functions all receive more funding than data privacy.

According to Forrester and prevailing industry wisdom, privacy is vitally important to building and retaining trust of customers. Since privacy is core to customer trust today, Forrester reports funding for data privacy is protected even in the toughest budget cycles. However, the focus on internal data privacy is most driven by the demand for such security measures coming from legal and marketing – the two departments most sensitive to the consequences of unauthorized exposure to internal data. Legal for its role in dealing with angry customers and business partners when their data is compromised and marketing for its role in managing the reputational damage that follows such a breach.
Neither the legal nor marketing department is at all involved in preventative data privacy measures such as addressing the threat of unsecured external data which is the fuel powering the current epidemic of social engineering-fueled data breaches.
Putting the average spend on data security (as misplaced as it may be) into context, cybersecurity budgets average just 5.7% of annual IT spending across businesses of all sizes. It is difficult for many security teams to achieve success in protecting data privacy at this budget level – particularly for small to mid-sized businesses (SMB). According to Forrester data, SMB’s enterprise counterparts can spend quite a bit more in pursuit of data privacy. The average enterprise sized organization allocates around 12% of their IT budget towards cybersecurity, meaning a typical large company might spend between $2 million and $5 million annually on cybersecurity depending on their size and industry needs.
As compared to the global cybersecurity spend numbers from Forrester’s report, Ponemon research shows US based organizations allocated as much as $26 million on average for cybersecurity initiatives in 2024, with 46% of respondents reporting a year-over-year spending increase above 25%. This high level of investment is likely a response to the blossoming number of data breaches experienced by sixty-one percent of organizations represented in the Ponemon research. A result of having experienced a data breach or cybersecurity incident in the past two years. (More than half of respondents (55%) said their organization has experienced more than four to five of such incidents!)
Where the Current Cybersecurity Spend is Being Allocated
The Forrester graphic below illustrates how the spend is allocated between personnel, hardware, software and outsourcing solutions. Personnel and software represent the two largest buckets of spend allocation.

A majority (61%) of organizations allocate cybersecurity investments based on “proven effectiveness in reducing security incidents,” according to the research. Assessing threats and risks facing the organization ranked as another top method (53%).
Thirty-six percent of respondents said their organization has no formal approach for determining their cybersecurity budget. Optiv, the sponsor of the Ponemon research sums up this challenge saying, “This lack of formal budgeting practices can lead to inefficiencies and missed opportunities to address critical security gaps”.
Using the high-end average numbers of cybersecurity spend to derive the approximate cost of managing data privacy (5% for global organizations and 26% for US organizations) – and assuming an 11.9% budget allocation specifically toward data privacy protection – companies are spending between $595,000 and $3.1 million on data privacy protection as part of their overall cybersecurity budgets annually.
So, to summarize:
- IT leaders, CIOs etc. are aware of the challenge of protecting data privacy
- Spend on cybersecurity is rising in response to the growing frequency of data breaches
- IAM, system defenses, incident response, threat analytics and GRC all receive more investment than data privacy
- Despite spending half a million to more than three million dollars annually on data privacy, organizations are still routinely victimized by data breaches
- Data privacy protection efforts focus on internal data privacy and ignore the actual problem of unsecured external data privacy risk
Contemporary Solutions for Cybersecurity and Data Privacy
There are many ways to address the problem of cybersecurity including data privacy protection. Different organizations will necessarily adopt their own strategy to meet the challenge. All of the common methodologies revolve around standing up infrastructure to monitor and manage an organization’s security apparatus and (hopefully) identify threats before or very soon after they emerge. As Forrester research reinforces, personnel and software are the two most significant resources used to address cybersecurity. The same is true for dealing specifically with data privacy – particularly external data privacy. The problem with all these methodologies is that they are reactive at best and unable to prevent attacks at worst.
Some use automation technologies alone. Others use a mix of technology and human assets to accomplish the stated goal of protecting against all manner of cyber-attack. The following are the predominant methods in use and all involve a mix of personnel and software. These can either be developed in house, delivered “as-a-service” from a growing array of solution providers, or completely outsourced to a third-party.
Managed Detection and Response (MDR)
Typically delivered as a third-party cybersecurity service, MDR relies on a combination of technology and human resources to monitor networks, endpoints and cloud environments. Providers of MDR solutions use advanced analytics, threat assessments/intelligence and behavioral analysis to identify and neutralize potential threats. MDR helps organizations better understand their cybersecurity risks and minimize damage by improving incident detection, rapid response and containment. MDR solutions commonly include 24x7x365 monitoring, proactive threat hunting, threat investigations and provide expert-managed guided response and remediation.
MDR doesn’t address or stem the flood of unsecured external data used to develop and deploy sophisticated social engineering attacks. Privacy Bee for Business delivers external data privacy risk assessments to attain quantifiable metrics for data privacy.
Security Information and Event Management (SIEM)
Specializes in gathering, analyzing, and correlating security event data to identify threats and respond promptly. SIEM solutions track network activity and provide real-time alerts. SIEM relies primarily on log data from numerous sources. It typically involves having security analysts write rules governing data privacy (and other security concerns) and then monitoring for instances where these rules are being broken. SIEM solutions often require significant hardware and software deployments as well as human resources (analysts etc.) and can be cost prohibitive for SMBs.
SIEM may identify social engineering as a threat, but it doesn’t address or stem the flood of unsecured external data used to develop and deploy sophisticated social engineering attacks. Privacy Bee for Business informs SIEM with real-time threat profiles for every employee and executive. Even every third-party business partner and all third-party personnel with any level of secure system access. All the personnel and software needed to identify unsecured external data privacy threats and secure (remove) said data are included in the modest per-user subscription cost.
Security Automation and Response (SOAR)
SOAR addresses cybersecurity challenges similarly to SIEM, but it focuses specifically on automating and orchestrating incident responses helping truncate response times to security incidents. SOAR platforms integrate with a broader array of tech tools across platforms and often integrate with SIEM activities as well. SOAR automates decision-making and creates automatic responses to defined threats.
SOAR may improve the efficiency of threat responses – even threats posed by social engineering attacks. But it doesn’t do anything to address unsecured external data so it is ineffective at protecting the social engineering attack surface. Better than truncating response times to attacks after they’ve occurred; Privacy Bee for Business automates the identification of unsecured external data and delivers the manpower to cleanse this exposed external data from nearly everywhere it resides on the web.
[Read more on SIEM and SOAR in Privacy Bee for Business white paper “How Reconnaissance Transforms Cybersecurity from Reactive to Preventative” for more detail on how to overlay external data privacy management atop your existing SIEM/SOAR solutions.]
The cost to stand up MDR, SOAR and SIEM solutions – whether in house, as-a-service or fully outsourced – can vary widely. For the purposes of this paper, the following includes the costs associated with standing up a Security Operations Center (SOC) which is a popular methodology for cybersecurity management and one that best lends itself to addressing and mitigating the threats associated with unsecured external data privacy.
The Cost of Building a SOC for Cybersecurity and Data Privacy
A centralized unit that monitors and manages an organization’s security posture. SOCs are responsible for detecting, analyzing, investigating, and responding to cyber threats. They also establish security measures and protocols to prevent future threats. SOCs are typically staffed by security professionals who work around the clock in shifts to ensure a rapid response to threats.
Data from Arctic Wolf and Netsurion suggests Building a Security Operations Center (SOC) can cost anywhere from a few hundred thousand dollars to several million dollars per year, depending on the desired level of maturity, required staffing, technology needs, and the scale of the network. The biggest cost factor typically being the salaries of security analysts on a 24/7 team; a basic SOC might cost around $1 million annually, while a more advanced one could reach $5 million or more.
Key factors affecting SOC cost:
Staffing:
The largest cost component, including salaries for security analysts, incident responders, SOC managers, and the need for 24/7 coverage.
Technology:
Costs of Security Information and Event Management (SIEM) tools, threat intelligence feeds, vulnerability scanners, network monitoring solutions, and other security software.
Infrastructure:
Hardware costs for workstations, servers, network equipment to support the SOC operations.
Training and Certification:
Ongoing training for analysts to maintain their skills and certifications.
Cost breakdown (approximate) for a basic SOC:
- Technology: $300,000
- Staffing (few analysts): $1 million per year
- Total: Around $1.5 million per year
Cost breakdown for an intermediate-level SOC:
- Technology: $400,000
- Staffing (larger team): $2.5 million per year
- Total: Around $2.5 million per year
Cost breakdown for an advanced SOC:
- Technology: $1.1 million
- Staffing (highly skilled team): $5 million per year
- Total: Around $5 million per year
Argument for Outsourcing External Data Privacy Management
Your organization may have any of the above cybersecurity management methodologies already in place. Or, it may have none. For most organizations, a significant amount of budget is already being applied to address cybersecurity and internal data privacy protections. Privacy Bee for Business offers a compelling value because it delivers a proven-effective means to dramatically reduce the potential for data breaches and other cybersecurity threats by applying a laser-focus on the outsized role of unsecured external data on overall security. Whether applied as a method for strengthening existing cybersecurity efforts or as a means of establishing a cost-effective preventative measure against social engineering and other external data privacy-fueled attacks, the Privacy Bee for Business platform is a winning strategy.
For organizations with existing MDR service or having already implemented SIEM practices and/or SOAR automation, adding an external data privacy management overlay through Privacy Bee for Business can dramatically improve results for a very affordable price. For those organizations with a more piecemeal approach to cyber security, implementing the Privacy Bee for Business solution can deliver many of the benefits of these other strategies at a tiny fraction of the cost. Consider Privacy Bee for Business a managed service provider (MSP) delivering comprehensive external data privacy management for a small fraction of what it would cost an organization to manage the detection of unsecured external data and then to manage its removal on an ongoing basis from the thousands of Data Brokers, People Search Sites, public records and social media where it resides.
Though it is not typically regarded as a cybersecurity practice, the deletion of unsecured external data is crucial to the efficacy of cybersecurity efforts. The volume of data in question is so significant that most info sec leaders don’t even regard its identification and removal as feasible. Fewer yet believe it could be cost-effective to address the removal of the very data used routinely by threat actors to plan and execute dramatic systems intrusions, data breaches and exfiltration. Those that have made in-house forays into trying to manage unsecured external data quickly learn that without a strictly organized and ongoing process to manage data subject access requests (the process of removing unsecured exposures) trying to do so becomes an exercise in futility.
In the absence of such a process, here’s what commonly occurs:
- Organization issues DSAR/Deletion requests to any number of Data Brokers, People Search Sites or other locations where unsecured PII has been detected by automated scanning
- Weeks of follow up and correspondence ensues, and deletions are ultimately achieved for most of the DSARs issued
- Each People Search Site or list reseller purchases new or receives refreshed data from the Data Brokers as part of its license/contract
- The unsecured data on the organization’s personnel is restored to the People Search Sites’ databases
So, in many cases, the data that had recently been removed because of the DSAR process is quickly returned to the same places. Because there are so many locations housing unsecured external data – each on its own schedule of refreshes – it would require a full-time team to keep the data from returning and being used to mount social engineering attacks. Why strain already tight IT budgets to manage external data privacy in house when Privacy Bee for Business offers the requisite technology and extensive manpower as a managed service?
Additionally, consider that beyond data breach risk mitigation, the Privacy Bee for Business platform also delivers value through increased productivity (by minimizing unsolicited business spam and telemarketing), decreasing identity theft, promoting hardened physical security for top executives, and lowering HR costs by reducing exposure to talent poaching.
The return on investment into Privacy Bee for Business as either a standalone cybersecurity platform for the SMB or a managed service overlay to existing enterprise-level cybersecurity programs is broken down in detail. To review a detailed ROI calculation read the “Calculating the ROI Into External Data Privacy Management Solutions” white paper.
In that paper, using the Gartner group’s figures for average cost of a data breach in 2023 – $8.64 million – Privacy Bee for Business can derive the following cost conclusions. The conclusions include the cost savings associated not only with the costs of data breach, but also those associated with HR poaching, physical security, lost productivity and identity theft.
Using the per-employee value figure from each of the individual solution elements/factors defined in the ROI white paper, a complete Return on Investment calculation is derived. The calculations reveal that every employee covered by the Privacy Bee for Business managed service avoids a potential $14,636 in savings by adding the value sums:
- $8.148 for Data Breach Risk Mitigation
- $3,623 for Productivity Increase
- $108 for Identity Theft Protection
- $1,069 for Physical Safety and
- $1,688 for Poach Defense
Given that the approximate cost per employee, per year to apply the Privacy Bee for Business solution is $200, the ROI delivered is an eye-popping 7429%.
For a smaller organization of 300 employees, the annual cost of Privacy Bee for Business is approximately $60,000 compared to the $1,500,000 estimated cost of deploying an SOC.
For the mid-sized organization of around 1000 employees, the annual cost of Privacy Bee for Business is approximately $200,000 compared to the $2,500,000 estimated cost of deploying an SOC.
For a large organization of 5000 employees the annual cost of Privacy Bee for Business is approximately $1 million compared to the $500,000,000 estimated cost of deploying an SOC.
Conclusion
Every organization’s cybersecurity needs and existing capabilities are different and the costs of buying or building additional capacities vary widely. Whether deploying Privacy Bee for Business as a standalone managed service or as an adjunct to existing investment and infrastructure, the costs of doing so are negligible while the cost of inaction in unthinkable.
