Security consultancies will tell you that the explosive growth of system vulnerabilities and the risks of not complying with regulatory requirements, such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA), require network architects to purchase vulnerability assessment (VA) consulting.
We say, "Why bother?"
Packaged VA solutions provide an affordable basis for systematic, repeatable methodologies that demonstrate compliance if used correctly (see "VA Deployment Tips" on page 49). The packaged VA solution architectures carry a common theme: They have matured to the point where inexperienced administrators can perform the sorts of security scans and analysis that were once the domain of hardcore security engineers.
What's more, they cost a lot less than VA consulting. We know, because we ran an in-depth TCO analysis of the VA products and services on the market. We priced VA solutions (see "TCO Analysis Details") that will detect and suggest ways to remediate potential application-, transport-, and network-layer holes in a company's security posture. Prices quoted here are list prices; street prices will likely be less. However, the most important items to consider are the internal costs for each solution, so we'll concentrate on those.
We found that while a consultancy's one-time scan of a large DMZ can cost between $250,000 and $350,000, that price would cover a substantial portion of a very large VA deployment, which on average runs $752,000. Third-party consulting services are most appropriate for either one-time or periodic scans and audits of key networks, such as critical servers like those in a DMZ that hold financial or confidential data.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
