One of the biggest challenges when you go shopping for new security tools is answering the inevitable question from finance: “What’s the value?” Determining the ROI of a new security product isn’t always an exact science. There are no hard and fast rules to follow – which is why generic ROI calculators should be avoided at all costs (pun intended).
But why is it so hard? Why can’t vendors just wow you with the promise of savings of 100%? The science of security is a moving target. Much like snowflakes, every organization is unique – their existing infrastructure, the size of the organization, what’s at risk, what a security incident means to them, and so on. The list of variables goes on and on. And most organizations will define success a bit differently.
There’s also a dirty little secret when it comes to security tools. Most of them don’t actually save you any time or money. Or, at least they don’t save you any hard dollars and cents that you can point to and measure. In fact, most security tools create more work. They generate new alerts, which your already-overburdened security team has to investigate and track down.
So, what’s an organization to do when the CFO comes calling? Building a business is all about presenting the numbers. In security the biggest benefit will always be reduced risk. “Buy this tool (or hire this person) and bad things are less likely to happen,” the vendor will tell you. And it’s true. But the problem is that when it comes to talking to your CFO or CISO it’s also theoretical. It leads you into a debate about how likely it is that bad things are really going to happen (“What would anyone want to steal from us?”). The other problem is that it’s likely the same justification that was used to make the case for the last five security products you bought.
Now don’t get me wrong. Reduced risk is absolutely important. But what’s equally important – and, in fact, I would argue more important when it comes to actually justifying an incremental security investment – is how much time and/or people a new tool will save you. Will it make you more efficient? Will it let your tier 1 analysts do the tasks of a tier 2 analyst? Will it let your tier 3 analysts do the work of an incident responder? If so, those are hard dollars that any CFO can understand. And while the reduced risk that comes with the tool may be the reason you want to buy the tool, it becomes the icing on the cake for the finance and procurement team.
Here are a few other hard costs to consider as you build your business case:
- Can it automate tedious day-to-day activities?
- Does it improve the time it takes to resolve a threat?
- Will it help you consolidate your security stack (e.g. reduce the number of agents operating on endpoints or the number of network security appliances in your rack)?
- Can it improve the quality of your incident response?
We recently commissioned Forrester Consulting to do an economic analysis of the benefits realized by Fidelis Network®. In short, the Total Economic Impact™ study found a composite organization based on interviewed customers experiences a risk-adjusted benefits of $2.7 million over a three-year period, with 46% of those benefits coming from hard benefits including increased productivity and reduced hardware costs. Take a look and tell us what you think.
-Kristen Cooper, VP Product Marketing