Demo of the CyCognito Platform

See the CyCognito platform in action to understand how it can help you identify, prioritize and eliminate your most critical risks. 

State of External Exposure Management, Summer 2024 Edition

Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024. 

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

 
Strategy

How to Budget for EASM

Tim-Matthews
By Tim Matthews
Chief Marketing Officer
November 18, 2024

External Attack Surface Management, or EASM, has become a necessary component of a proactive cybersecurity strategy. According to research from Enterprise Strategy Group, over 65% of breaches stem from a compromised, externally exposed asset, so knowing your attack surface is key to avoiding breaches. Gartner, for this reason, is recommending EASM as a key pillar in the new approach to proactive security they call Exposure Management

As a new item in the cybersecurity stack, many teams have no context for how and how much to budget for EASM. This post will give you some basic guidance.

What is EASM and how does it fit into a security program?

EASM refers to the process of identifying, analyzing, and mitigating the vulnerabilities and risks associated with an organization’s external-facing digital assets, such as websites, applications, cloud environments, and network infrastructure. It involves monitoring and securing the exposed attack surface to prevent breaches and unauthorized access by threat actors, and most closely aligns with vulnerability management.

How much should you budget?

On the low end, basic security ratings tools and vulnerability scanning add-ons may cost in the $25-50K range, sometimes more. These, however, are not truly EASM, and require manual effort, miss assets, have high false positives, struggle with discovering cloud assets, and do not perform any testing.

Modern EASM products are typically priced per asset under management. An average enterprise has over 50,000 assets, according to CyCognito’s State of External Exposure Management report. Mid-market customers have 20,000 on average. Large enterprises may have hundreds of thousands of assets, even up to millions for some industries like telecommunications. Importantly, don’t budget based on your current understanding of your assets; most customers significantly undercount if they do not have EASM in place and are using manual methods to keep track of their assets.

So, the cost of EASM depends on the number of assets you have. It will also vary depending on whether you are simply discovering assets or actively testing those assets, which typically is an added cost. Mid-market customers can expect to pay in the $25-75K range. Large enterprises can expect $100-200K on average. Of course, if your organization has lots of assets based on the business you are in, the price may be higher.

Which budget should it come from?

More and more enterprises are creating Exposure Management teams. Some have dedicated EASM staff. Companies with Exposure Management teams would hold the budget there.

If not, EASM is usually part of the Security Operations Center (SOC) budget, often specifically from the vulnerability management budget. If you are including testing in your EASM license, some of the budget may come from the AppSec team.

How many people will it take to implement?

Advanced EASM products typically run autonomously and staff is only needed to determine whether unknown assets are part of their asset inventories and help triage assets at risk. For smaller organizations, this can just be 4-8 hours a week, depending on findings that week. Larger organizations may have a small team of 1-2 analysts focusing on EASM, often working on other teams, like VM, as well. Many MSSPs also offer EASM as a managed service.

How do you justify the cost?

The cost of EASM can be justified in terms of risk reduction, labor savings and efficiency gains, and software license and insurance premium cost reductions. 

Risk Reduction
  • Breach avoidance – two-thirds of breaches come from unknown or unmanaged assets. 
  • M&A risk assessment – understanding the digital risk of a pending acquisition.
  • Attack surface reduction – reduce the scope of unknown risks and assets
Labor Savings and Efficiency Gains1
  • Manual asset discovery – saves 60% of analyst time spent per week 
  • False positive triages –  reduces hours manually validating alerts by 90%
  • MTTR improvement – shortens MTTR by more than 50%
  • Zero-day advisories – tracked and managed in minutes rather than days or weeks
Premium and License Cost Reduction
  • Software license consolidation – EASM with testing can replace a bug bounty license and bounty pool entirely, and partially replace external pentesting spend.
  • Cyber insurance premium reduction—With improvements in security posture ratings, organizations are able to reduce their premiums, reduce their deductibles, and increase their coverage.

For more information on CyCognito’s license costs, please visit our pricing page. Or contact us to set up a time to discuss your specific requirements.

1 Statistics from Forrester Total Economic Impact report and CyCognito customer analysis.


Topics



Search the Blog



Recent Posts




Tim Matthews
How to Budget for EASM
By Tim Matthews
November 18, 2024




Top Tags



CyCognito Research Report

State of External Exposure Management, Summer 2024 Edition

State of External Exposure Management, Summer 2024 Edition

Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.

O'Reilly Report

Moving from Vulnerability Management to Exposure Management

Moving from Vulnerability Management to Exposure Management

Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.

Request a Free Scan

See Exactly What Attackers See

Get a Free Scan of Your Attack Surface

Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.