Quantifizieren Sie den Wert von Netskope One SSE – Holen Sie sich die Forrester Total Economic Impact-Studie™ 2024

Schließen
Schließen
  • Warum Netskope? Chevron

    Verändern Sie die Art und Weise, wie Netzwerke und Sicherheit zusammenarbeiten.

  • Unsere Kunden Chevron

    Netskope betreut weltweit mehr als 3.400 Kunden, darunter mehr als 30 der Fortune 100

  • Unsere Partner Chevron

    Unsere Partnerschaften helfen Ihnen, Ihren Weg in die Cloud zu sichern.

Ein führendes Unternehmen im Bereich SSE. Jetzt ein führender Anbieter von SASE.

Erfahren Sie, warum Netskope im Gartner® Magic Quadrant™️ 2024 für Single-Vendor Secure Access Service Edge als Leader debütiert

Report abrufen
Kundenvisionäre im Rampenlicht

Lesen Sie, wie innovative Kunden mithilfe der Netskope One-Plattform erfolgreich durch die sich verändernde Netzwerk- und Sicherheitslandschaft von heute navigieren.

Jetzt das E-Book lesen
Kundenvisionäre im Rampenlicht
Die partnerorientierte Markteinführungsstrategie von Netskope ermöglicht es unseren Partnern, ihr Wachstum und ihre Rentabilität zu maximieren und gleichzeitig die Unternehmenssicherheit an neue Anforderungen anzupassen.

Erfahren Sie mehr über Netskope-Partner
Gruppe junger, lächelnder Berufstätiger mit unterschiedlicher Herkunft
Ihr Netzwerk von morgen

Planen Sie Ihren Weg zu einem schnelleren, sichereren und widerstandsfähigeren Netzwerk, das auf die von Ihnen unterstützten Anwendungen und Benutzer zugeschnitten ist.

Whitepaper lesen
Ihr Netzwerk von morgen
Netskope Cloud Exchange

Cloud Exchange (CE) von Netskope gibt Ihren Kunden leistungsstarke Integrationstools an die Hand, mit denen sie in jeden Aspekt ihres Sicherheitsstatus investieren können.

Erfahren Sie mehr über Cloud Exchange
Luftaufnahme einer Stadt
  • Security Service Edge Chevron

    Schützen Sie sich vor fortgeschrittenen und cloudfähigen Bedrohungen und schützen Sie Daten über alle Vektoren hinweg.

  • SD-WAN Chevron

    Stellen Sie selbstbewusst sicheren, leistungsstarken Zugriff auf jeden Remote-Benutzer, jedes Gerät, jeden Standort und jede Cloud bereit.

  • Secure Access Service Edge Chevron

    Netskope One SASE bietet eine Cloud-native, vollständig konvergente SASE-Lösung eines einzelnen Anbieters.

Die Plattform der Zukunft heißt Netskope

Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Netskope Produktübersicht
Netskope-Video
Next Gen SASE Branch ist hybrid – verbunden, sicher und automatisiert

Netskope Next Gen SASE Branch vereint kontextsensitives SASE Fabric, Zero-Trust Hybrid Security und SkopeAI-Powered Cloud Orchestrator in einem einheitlichen Cloud-Angebot und führt so zu einem vollständig modernisierten Branch-Erlebnis für das grenzenlose Unternehmen.

Erfahren Sie mehr über Next Gen SASE Branch
Menschen im Großraumbüro
SASE-Architektur für Dummies

Holen Sie sich Ihr kostenloses Exemplar des einzigen Leitfadens zum SASE-Design, den Sie jemals benötigen werden.

Jetzt das E-Book lesen
SASE-Architektur für Dummies – E-Book
Steigen Sie auf marktführende Cloud-Security Service mit minimaler Latenz und hoher Zuverlässigkeit um.

Mehr über NewEdge erfahren
Beleuchtete Schnellstraße mit Serpentinen durch die Berge
Ermöglichen Sie die sichere Nutzung generativer KI-Anwendungen mit Anwendungszugriffskontrolle, Benutzercoaching in Echtzeit und erstklassigem Datenschutz.

Erfahren Sie, wie wir den Einsatz generativer KI sichern
ChatGPT und Generative AI sicher aktivieren
Zero-Trust-Lösungen für SSE- und SASE-Deployments

Erfahren Sie mehr über Zero Trust
Bootsfahrt auf dem offenen Meer
Netskope erhält die FedRAMP High Authorization

Wählen Sie Netskope GovCloud, um die Transformation Ihrer Agentur zu beschleunigen.

Erfahren Sie mehr über Netskope GovCloud
Netskope GovCloud
  • Ressourcen Chevron

    Erfahren Sie mehr darüber, wie Netskope Ihnen helfen kann, Ihre Reise in die Cloud zu sichern.

  • Blog Chevron

    Erfahren Sie, wie Netskope die Sicherheits- und Netzwerktransformation durch Secure Access Service Edge (SASE) ermöglicht

  • Events und Workshops Chevron

    Bleiben Sie den neuesten Sicherheitstrends immer einen Schritt voraus und tauschen Sie sich mit Gleichgesinnten aus

  • Security Defined Chevron

    Finden Sie alles was Sie wissen müssen in unserer Cybersicherheits-Enzyklopädie.

Security Visionaries Podcast

Prognosen für 2025
In dieser Folge von Security Visionaries diskutieren wir mit Kiersten Todt, President bei Wondros und ehemaliger Stabschef der Cybersecurity and Infrastructure Security Agency (CISA), über Prognosen für 2025 und darüber hinaus.

Podcast abspielen Alle Podcasts durchsuchen
Prognosen für 2025
Neueste Blogs

Lesen Sie, wie Netskope die Zero-Trust- und SASE-Reise durch SASE-Funktionen (Secure Access Service Edge) ermöglichen kann.

Den Blog lesen
Sonnenaufgang und bewölkter Himmel
SASE Week 2024 auf Abruf

Erfahren Sie, wie Sie sich in den neuesten Fortschritten bei SASE und Zero Trust zurechtfinden können, und erfahren Sie, wie sich diese Frameworks an die Herausforderungen der Cybersicherheit und Infrastruktur anpassen

Entdecken Sie Sitzungen
SASE Week 2024
Was ist SASE?

Erfahren Sie mehr über die zukünftige Konsolidierung von Netzwerk- und Sicherheitstools im heutigen Cloud-dominanten Geschäftsmodell.

Erfahre mehr zu SASE
  • Unternehmen Chevron

    Wir helfen Ihnen, den Herausforderungen der Cloud-, Daten- und Netzwerksicherheit einen Schritt voraus zu sein.

  • Karriere Chevron

    Join Netskope's 3,000+ amazing team members building the industry’s leading cloud-native security platform.

  • Kundenlösungen Chevron

    Wir sind für Sie da, stehen Ihnen bei jedem Schritt zur Seite und sorgen für Ihren Erfolg mit Netskope.

  • Schulungen und Akkreditierungen Chevron

    Netskope-Schulungen helfen Ihnen ein Experte für Cloud-Sicherheit zu werden.

Unterstützung der Nachhaltigkeit durch Datensicherheit

Netskope ist stolz darauf, an Vision 2045 teilzunehmen: einer Initiative, die darauf abzielt, das Bewusstsein für die Rolle der Privatwirtschaft bei der Nachhaltigkeit zu schärfen.

Finde mehr heraus
Unterstützung der Nachhaltigkeit durch Datensicherheit
Helfen Sie mit, die Zukunft der Cloudsicherheit zu gestalten

Bei Netskope arbeiten Gründer und Führungskräfte Schulter an Schulter mit ihren Kollegen, selbst die renommiertesten Experten kontrollieren ihr Ego an der Tür, und die besten Ideen gewinnen.

Tritt dem Team bei
Karriere bei Netskope
Die engagierten Service- und Support-Experten von Netskope sorgen dafür, dass Sie unsere Plattform erfolgreich einsetzen und den vollen Wert ihrer Plattform ausschöpfen können.

Gehen Sie zu Kundenlösungen
Netskope Professional Services
Mit Netskope-Schulungen können Sie Ihre digitale Transformation absichern und das Beste aus Ihrer Cloud, dem Web und Ihren privaten Anwendungen machen.

Erfahren Sie mehr über Schulungen und Zertifizierungen
Gruppe junger Berufstätiger bei der Arbeit

A Return to the Scene of the Crime: The Messy Role of ROI in Security Technology

Mar 04 2020

“Why would I approve this kind of investment if you cannot articulate some kind of cost reduction, an opportunity for business enablement, or return associated with more efficiently managing my existing risk exposure?”

How many times, as practitioners, have we had these conversations? Whether it is a discussion about the inherent risk of certain business practices, or the associated investment costs in people, process, and technology aimed at managing said risk, practitioners are consistently challenged with providing some measurable way to communicate the intrinsic value of those investments. 

Our colleagues in business talk ROI, return on investment, frequently, as they have been long conditioned with the need to be able to demonstrate some kind of value or return on programs, investments, initiatives, and the like. Having an approach to clearly communicate “value” in the security and risk business is absolutely critical as well. It may often be overlooked, but the functions we run are businesses within the business. We ultimately provide services to our customers that enable our businesses to function within certain tolerances for established processes, while allowing them to transform and take more risk as they build new business models. 

So what is the problem? Essentially, we are struggling with the challenge of not being able to communicate in the same language. For example, there are simple and established ways for a CEO to determine a “return on investment” for something like a new office building. Predictive measures of the value of real estate investments and the capacity increases from more efficient equipment or a new facility are relatively straightforward and are ingrained into the fabric of business. 

In our business within the business, we really are only able to manage three things associated with our investments: the effectiveness of the investment in terms of managing or reducing risk, the total cost of ownership of a given investment, and the ability to advise on the transfer of said risk in some way (i.e. insurance, etc). The challenge most of us have encountered with these three factors is that we haven’t been really good at collecting the required data and doing the calculations needed to effectively make sense of them. This is evidenced by so many programs who have effectively taken broad brush approaches to apply controls where gaps or problems exist, resulting in many cases where a $500 risk has a $100,000,000 control applied to it. This creates friction with the consumers of our services, thus creating longer-term challenges for the justification of future investments. 

Total Cost of Ownership as a Starting Point?

One area in which we can actually put some solid empirical data around is the total cost of ownership (TCO) for the processes and supporting technologies that underpin the services we provide our customers. Most of us have spent a lot of time developing metrics around all of the activities we do in support of our businesses. This metric data, along with other publicly available information, can be used to drive us towards relatively accurate ownership costs for the services and technologies we invest in. 

Take, for example, the case for determining the people costs associated with the daily analysis of incident investigations. If I know that on average my response team is spending 20% of their day on investigation activities, that I have two dedicated resources on that team, and that the fully loaded resources cost $75 per hour, I can determine that this process, from a human capital perspective, consumes a little more than 800 man-hours per year to execute and costs our business around $60,000. If I then understand the inventory of all of the technology tools needed to run these processes, I can factor in the annual cost of the supporting technology and have a pretty accurate depiction of the cost of that service. Does this, however, get me to a place where I can communicate an actual ROI? Not quite. 

The Cost of Risk?

Bruce Schneier wrote a great article on this same topic for CSO back in September 2008 that has aged very well. As it pertains to the traditional approach of putting a dollar value on risk, he posits, “The classic methodology is called annualized loss expectancy (ALE), and it’s straightforward. Calculate the cost of a security incident in both tangibles like time and money and intangibles like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. That tells you how much you should spend to mitigate the risk.” 

This “probability x impact” approach has been the method we have all tried to implement in one way, shape, or form to get some semblance of a financial indicator of the cost of the risks that we have identified and are attempting to manage. The problem, as Bruce also points out, is that the resulting data outputs from these calculations essentially work against us when talking to business leadership, and are clouded by the lack of good data we have as inputs. 

For example, If the calculated cost of a given risk is $40,000 annually and the total cost of ownership of the people, process, and technology intent on better managing or reducing that risk is the $65,000 annually, imagine what the CFO is going to want to know. How accurate is our data on the factors that go into measuring impact (actual loss, reputation, etc.) and how accurate is our data in determining the actual probability? And, even if we all agree on those numbers, how the CFO interprets and chooses to ultimately enable you to invest can obviously be influenced by these, and many other factors. In speaking to many in the industry, as well as from my own experience as a practitioner, it is often the challenge of bridging the gap in understanding. If you do not understand your organization’s true risk tolerance levels financially, you could really be fighting an uphill battle. Imagine asking for an investment to reduce what you have calculated as $10M worth of risk due to a business process with lacking controls, but the CFO considers $110M as a rounding error? Do you think you are going to get the investment you need? 

Considerations for Better Outcomes

  • Make a concerted effort to inventory and organize all the services your business within a business delivers to its customers. Spend time calculating the total cost of ownership of all of those services to transparently communicate the labor and technology costs to the business. This will enable you to begin communicating with business leadership on terms they understand and will also enable you to prioritize the future evaluation of different technologies with the aim of either providing the same service at a lower cost or providing that service in a more effective manner from the perspective of reducing or managing risk. The ability to project these TCO calculations across a 3-5 year plan in the context of “cost of risk” and “cost of control” can be a game-changer for future program investment. 
  • Get the data. Spend time getting the data associated with the problems, risks, costs, or control deficiencies you are trying to solve for. Challenge your assertions and the data you are collecting. Do we truly have real and accurate data points that enable any relevant calculation of the cost of risk? Do we have better sources of data for understanding if our evaluation of probability is accurate? Have these conversations with your business partners and gain their insights to drive towards a more holistic and business-centric outcome. (We could spend all day on this topic alone!) 
  • Spend time understanding the organizational view on risk tolerance and where those financial thresholds exist to understand those limits and how they are managed. It will likely be very eye-opening to gain that insight and will allow you to better position the things you can accurately calculate or otherwise have better data on. This will help you avoid going to the CFO’s office with the wrong message or wrong analysis, enabling more informed decision making as you analyze priority. Is there more value in reducing the cost of an expensive control where the risk is low than just adding a new control? And does it make sense to just fund the new control with the savings from the other?
  • Avoid the “pie in the sky” vendor-calculated data analysis around ROI. They are even less prepared than you when it comes to understanding the context of your organization, the probability of a given event, or your operating costs. A true “partner” should be willing to sit down and understand your TCO, understand the services that you provide today, and be able to help you articulate the following:
    • How can the proposed technology investment reduce the operating cost of an existing process or service that I deliver? (i.e. like for like but cheaper / requiring less labor, etc.)
    • How can the proposed technology investment improve the effectiveness of an existing process or service that I deliver from a risk perspective? (i.e. improves the effectiveness of a specific overall control or provides a control/risk reduction opportunity that was not possible before, etc.)
    • How can the proposed technology investment provide for future enablement and/or future opportunities for risk reduction by “future-proofing” your architecture or control environment? Investing in building block capabilities that are aligned in projecting where your business is going as opposed to waiting for the business to identify “friction” or a use case that your current services do not cover. 
    • How can the proposed technology investment provide for enhanced or improved value from my existing investments? We’ve all heard that the value of the optimal individual on a team is one who makes everyone around them better. The same should be considered when investing in technology; how can this investment make all of my other investments better? (i.e. Can it help me address more use cases? Can it reduce my operational burden? Does it eliminate the need to build a manual integration between technologies? etc.)

Is ROI really dead? Not really. What we really are driving for are better outcomes from the services we offer to our customers; our business partners. Understanding the detailed operating costs for all of our technology investments, coupled with being able to measure the effectiveness of those processes and technologies to help manage risk, better positions us to speak the language of business. 

The real elements of ROI here are: establishing a clearer understanding of risk in our businesses (and influencing it), being able to provide transparency around the costs and effectiveness of the services we deliver to our customers, challenging our long-held assertions around probability vs impact in our environment with better data, and forcing ourselves to use all of this to reduce the operating cost and friction of the controls, not for just today, but as we invest in transforming our security programs. 

As Wayne Gretzky once said, “A good hockey player plays where the puck is, a great hockey player plays where the puck is going to be”. Similarly, a good security team is managing where the business is today, whereas a great one is also managing where the business is going to be tomorrow.

author image
Nathan Smolenski
Nathan is an experienced CISO & risk management and tech leader with over 19 years across financial services, mgmt.. consulting, insurance, and software verticals.
Nathan is an experienced CISO & risk management and tech leader with over 19 years across financial services, mgmt.. consulting, insurance, and software verticals.

Bleiben Sie informiert!

Abonnieren Sie den Netskope-Blog