Why do so many security teams never have a budget for security? Is it because they think they have all the tools they need and there are no new security threats evolving this year? Highly unlikely. What amazes me is that corporations always find security budget when something does happen. Usually in the millions of dollars, because we all know it is much more expensive to remediate an issue rather than proactively block it.
So how do you convince your company to invest in cloud security if they don’t have budget for it? It should be a simple matter of mathematics. Let’s take Microsoft Office 365 as a simple example.
The math here is to consider how much infrastructure, man-hours and project planning is required to maintain Microsoft Exchange in-house. Depending on the number of employees, you need to scale compute, storage and network switches. In addition to ever-increasing storage (how many people use email as a file store?), you need to consider backups, and DR/business continuity. Then add man-hours needed for maintenance and version upgrades, and the PMs needed to schedule changes as well as DR testing. When you add these up, it is clearly an easy sell to show the ROI and savings associated with Office 365.
The only thing Microsoft doesn’t really drill deep into is the security around the solution. They’ll provide physical security on access to their servers and maintenance on OS and software versions,
But securing data is still your responsibility. Data security is probably one of the main reason