Quantify the value of Netskope One SSE – Get the 2024 Forrester Total Economic Impact™ study

閉める
閉める
  • Netskopeが選ばれる理由 シェブロン

    ネットワークとセキュリティの連携方法を変える。

  • 導入企業 シェブロン

    Netskopeは、フォーチュン100社の30社以上を含む、世界中で3,400社以上の顧客にサービスを提供しています。

  • パートナー シェブロン

    私たちはセキュリティリーダーと提携して、クラウドへの旅を保護します。

SSEのリーダー。 現在、シングルベンダーSASEのリーダーです。

ネットスコープが2024年Gartner®社のシングルベンダーSASEのマジック・クアドラントでリーダーの1社の位置付けと評価された理由をご覧ください。

レポートを読む
顧客ビジョナリースポットライト

革新的な顧客が Netskope One プラットフォームを通じて、今日の変化するネットワークとセキュリティの状況をどのようにうまく乗り越えているかをご覧ください。

電子書籍を入手する
顧客ビジョナリースポットライト
Netskopeのパートナー中心の市場開拓戦略により、パートナーは企業のセキュリティを変革しながら、成長と収益性を最大化できます。

Netskope パートナーについて学ぶ
色々な若い専門家が集う笑顔のグループ
明日に向けたネットワーク

サポートするアプリケーションとユーザー向けに設計された、より高速で、より安全で、回復力のあるネットワークへの道を計画します。

ホワイトペーパーはこちら
明日に向けたネットワーク
Netskope Cloud Exchange

Netskope Cloud Exchange (CE) は、セキュリティポスチャに対する投資を活用するための強力な統合ツールを提供します。

Cloud Exchangeについて学ぶ
Aerial view of a city
  • Security Service Edge(SSE) シェブロン

    高度なクラウド対応の脅威から保護し、あらゆるベクトルにわたってデータを保護

  • SD-WAN シェブロン

    すべてのリモートユーザー、デバイス、サイト、クラウドへ安全で高性能なアクセスを提供

  • Secure Access Service Edge シェブロン

    Netskope One SASE は、クラウドネイティブで完全に統合された単一ベンダーの SASE ソリューションを提供します。

未来のプラットフォームはNetskopeです

Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

製品概要はこちら
Netskopeの動画
Next Gen SASE Branch はハイブリッドである:接続、保護、自動化

Netskope Next Gen SASE Branchは、コンテキストアウェアSASEファブリック、ゼロトラストハイブリッドセキュリティ、 SkopeAI-Powered Cloud Orchestrator を統合クラウド製品に統合し、ボーダレスエンタープライズ向けに完全に最新化されたブランチエクスペリエンスを実現します。

Next Gen SASE Branchの詳細はこちら
オープンスペースオフィスの様子
ダミーのためのSASEアーキテクチャ

SASE設計について網羅した電子書籍を無償でダウンロード

電子書籍を入手する
ダミーのためのSASEアーキテクチャ eBook
最小の遅延と高い信頼性を備えた、市場をリードするクラウドセキュリティサービスに移行します。

NewEdgeの詳細
山腹のスイッチバックを通るライトアップされた高速道路
アプリケーションのアクセス制御、リアルタイムのユーザーコーチング、クラス最高のデータ保護により、生成型AIアプリケーションを安全に使用できるようにします。

生成AIの使用を保護する方法を学ぶ
ChatGPTと生成AIを安全に有効にする
SSEおよびSASE展開のためのゼロトラストソリューション

ゼロトラストについて学ぶ
大海原を走るボート
NetskopeがFedRAMPの高認証を達成

政府機関の変革を加速するには、Netskope GovCloud を選択してください。

Netskope GovCloud について学ぶ
Netskope GovCloud
  • リソース シェブロン

    クラウドへ安全に移行する上でNetskopeがどのように役立つかについての詳細は、以下をご覧ください。

  • ブログ シェブロン

    Netskopeがセキュアアクセスサービスエッジ(SASE)を通じてセキュリティとネットワーキングの変革を実現する方法をご覧ください

  • イベント&ワークショップ シェブロン

    最新のセキュリティトレンドを先取りし、仲間とつながりましょう。

  • 定義されたセキュリティ シェブロン

    サイバーセキュリティ百科事典、知っておくべきすべてのこと

「セキュリティビジョナリー」ポッドキャスト

2025年の予測
今回の Security Visionaries では、Wondros の社長であり、Cybersecurity and Infrastructure Security Agency (CISA) の元首席補佐官である Kiersten Todt 氏が、2025 年以降の予測について語ります。

ポッドキャストを再生する Browse all podcasts
2025年の予測
最新のブログ

Netskopeがセキュアアクセスサービスエッジ(SASE)機能を通じてゼロトラストとSASEの旅をどのように実現できるかをお読みください。

ブログを読む
日の出と曇り空
SASE Week 2024 オンデマンド

SASEとゼロトラストの最新の進歩をナビゲートする方法を学び、これらのフレームワークがサイバーセキュリティとインフラストラクチャの課題に対処するためにどのように適応しているかを探ります

セッションの詳細
SASE Week 2024
SASEとは

クラウド優位の今日のビジネスモデルにおいて、ネットワークとセキュリティツールの今後の融合について学びます。

SASEについて学ぶ
  • 会社概要 シェブロン

    クラウド、データ、ネットワークセキュリティの課題に対して一歩先を行くサポートを提供

  • 採用情報 シェブロン

    Join Netskope's 3,000+ amazing team members building the industry’s leading cloud-native security platform.

  • カスタマーソリューション シェブロン

    お客様の成功のために、Netskopeはあらゆるステップを支援いたします。

  • トレーニングと認定 シェブロン

    Netskopeのトレーニングで、クラウドセキュリティのスキルを学ぶ

データセキュリティによる持続可能性のサポート

Netskope は、持続可能性における民間企業の役割についての認識を高めることを目的としたイニシアチブである「ビジョン2045」に参加できることを誇りに思っています。

詳しくはこちら
データセキュリティによる持続可能性のサポート
クラウドセキュリティの未来を形作る

At Netskope, founders and leaders work shoulder-to-shoulder with their colleagues, even the most renowned experts check their egos at the door, and the best ideas win.

チームに参加する
Netskopeで働く
Netskope dedicated service and support professionals will ensure you successful deploy and experience the full value of our platform.

カスタマーソリューションに移動
Netskopeプロフェッショナルサービス
Netskopeトレーニングで、デジタルトランスフォーメーションの旅を保護し、クラウド、ウェブ、プライベートアプリケーションを最大限に活用してください。

トレーニングと認定資格について学ぶ
働く若い専門家のグループ

A Return to the Scene of the Crime: The Messy Role of ROI in Security Technology

Mar 04 2020

“Why would I approve this kind of investment if you cannot articulate some kind of cost reduction, an opportunity for business enablement, or return associated with more efficiently managing my existing risk exposure?”

How many times, as practitioners, have we had these conversations? Whether it is a discussion about the inherent risk of certain business practices, or the associated investment costs in people, process, and technology aimed at managing said risk, practitioners are consistently challenged with providing some measurable way to communicate the intrinsic value of those investments. 

Our colleagues in business talk ROI, return on investment, frequently, as they have been long conditioned with the need to be able to demonstrate some kind of value or return on programs, investments, initiatives, and the like. Having an approach to clearly communicate “value” in the security and risk business is absolutely critical as well. It may often be overlooked, but the functions we run are businesses within the business. We ultimately provide services to our customers that enable our businesses to function within certain tolerances for established processes, while allowing them to transform and take more risk as they build new business models. 

So what is the problem? Essentially, we are struggling with the challenge of not being able to communicate in the same language. For example, there are simple and established ways for a CEO to determine a “return on investment” for something like a new office building. Predictive measures of the value of real estate investments and the capacity increases from more efficient equipment or a new facility are relatively straightforward and are ingrained into the fabric of business. 

In our business within the business, we really are only able to manage three things associated with our investments: the effectiveness of the investment in terms of managing or reducing risk, the total cost of ownership of a given investment, and the ability to advise on the transfer of said risk in some way (i.e. insurance, etc). The challenge most of us have encountered with these three factors is that we haven’t been really good at collecting the required data and doing the calculations needed to effectively make sense of them. This is evidenced by so many programs who have effectively taken broad brush approaches to apply controls where gaps or problems exist, resulting in many cases where a $500 risk has a $100,000,000 control applied to it. This creates friction with the consumers of our services, thus creating longer-term challenges for the justification of future investments. 

Total Cost of Ownership as a Starting Point?

One area in which we can actually put some solid empirical data around is the total cost of ownership (TCO) for the processes and supporting technologies that underpin the services we provide our customers. Most of us have spent a lot of time developing metrics around all of the activities we do in support of our businesses. This metric data, along with other publicly available information, can be used to drive us towards relatively accurate ownership costs for the services and technologies we invest in. 

Take, for example, the case for determining the people costs associated with the daily analysis of incident investigations. If I know that on average my response team is spending 20% of their day on investigation activities, that I have two dedicated resources on that team, and that the fully loaded resources cost $75 per hour, I can determine that this process, from a human capital perspective, consumes a little more than 800 man-hours per year to execute and costs our business around $60,000. If I then understand the inventory of all of the technology tools needed to run these processes, I can factor in the annual cost of the supporting technology and have a pretty accurate depiction of the cost of that service. Does this, however, get me to a place where I can communicate an actual ROI? Not quite. 

The Cost of Risk?

Bruce Schneier wrote a great article on this same topic for CSO back in September 2008 that has aged very well. As it pertains to the traditional approach of putting a dollar value on risk, he posits, “The classic methodology is called annualized loss expectancy (ALE), and it’s straightforward. Calculate the cost of a security incident in both tangibles like time and money and intangibles like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. That tells you how much you should spend to mitigate the risk.” 

This “probability x impact” approach has been the method we have all tried to implement in one way, shape, or form to get some semblance of a financial indicator of the cost of the risks that we have identified and are attempting to manage. The problem, as Bruce also points out, is that the resulting data outputs from these calculations essentially work against us when talking to business leadership, and are clouded by the lack of good data we have as inputs. 

For example, If the calculated cost of a given risk is $40,000 annually and the total cost of ownership of the people, process, and technology intent on better managing or reducing that risk is the $65,000 annually, imagine what the CFO is going to want to know. How accurate is our data on the factors that go into measuring impact (actual loss, reputation, etc.) and how accurate is our data in determining the actual probability? And, even if we all agree on those numbers, how the CFO interprets and chooses to ultimately enable you to invest can obviously be influenced by these, and many other factors. In speaking to many in the industry, as well as from my own experience as a practitioner, it is often the challenge of bridging the gap in understanding. If you do not understand your organization’s true risk tolerance levels financially, you could really be fighting an uphill battle. Imagine asking for an investment to reduce what you have calculated as $10M worth of risk due to a business process with lacking controls, but the CFO considers $110M as a rounding error? Do you think you are going to get the investment you need? 

Considerations for Better Outcomes

  • Make a concerted effort to inventory and organize all the services your business within a business delivers to its customers. Spend time calculating the total cost of ownership of all of those services to transparently communicate the labor and technology costs to the business. This will enable you to begin communicating with business leadership on terms they understand and will also enable you to prioritize the future evaluation of different technologies with the aim of either providing the same service at a lower cost or providing that service in a more effective manner from the perspective of reducing or managing risk. The ability to project these TCO calculations across a 3-5 year plan in the context of “cost of risk” and “cost of control” can be a game-changer for future program investment. 
  • Get the data. Spend time getting the data associated with the problems, risks, costs, or control deficiencies you are trying to solve for. Challenge your assertions and the data you are collecting. Do we truly have real and accurate data points that enable any relevant calculation of the cost of risk? Do we have better sources of data for understanding if our evaluation of probability is accurate? Have these conversations with your business partners and gain their insights to drive towards a more holistic and business-centric outcome. (We could spend all day on this topic alone!) 
  • Spend time understanding the organizational view on risk tolerance and where those financial thresholds exist to understand those limits and how they are managed. It will likely be very eye-opening to gain that insight and will allow you to better position the things you can accurately calculate or otherwise have better data on. This will help you avoid going to the CFO’s office with the wrong message or wrong analysis, enabling more informed decision making as you analyze priority. Is there more value in reducing the cost of an expensive control where the risk is low than just adding a new control? And does it make sense to just fund the new control with the savings from the other?
  • Avoid the “pie in the sky” vendor-calculated data analysis around ROI. They are even less prepared than you when it comes to understanding the context of your organization, the probability of a given event, or your operating costs. A true “partner” should be willing to sit down and understand your TCO, understand the services that you provide today, and be able to help you articulate the following:
    • How can the proposed technology investment reduce the operating cost of an existing process or service that I deliver? (i.e. like for like but cheaper / requiring less labor, etc.)
    • How can the proposed technology investment improve the effectiveness of an existing process or service that I deliver from a risk perspective? (i.e. improves the effectiveness of a specific overall control or provides a control/risk reduction opportunity that was not possible before, etc.)
    • How can the proposed technology investment provide for future enablement and/or future opportunities for risk reduction by “future-proofing” your architecture or control environment? Investing in building block capabilities that are aligned in projecting where your business is going as opposed to waiting for the business to identify “friction” or a use case that your current services do not cover. 
    • How can the proposed technology investment provide for enhanced or improved value from my existing investments? We’ve all heard that the value of the optimal individual on a team is one who makes everyone around them better. The same should be considered when investing in technology; how can this investment make all of my other investments better? (i.e. Can it help me address more use cases? Can it reduce my operational burden? Does it eliminate the need to build a manual integration between technologies? etc.)

Is ROI really dead? Not really. What we really are driving for are better outcomes from the services we offer to our customers; our business partners. Understanding the detailed operating costs for all of our technology investments, coupled with being able to measure the effectiveness of those processes and technologies to help manage risk, better positions us to speak the language of business. 

The real elements of ROI here are: establishing a clearer understanding of risk in our businesses (and influencing it), being able to provide transparency around the costs and effectiveness of the services we deliver to our customers, challenging our long-held assertions around probability vs impact in our environment with better data, and forcing ourselves to use all of this to reduce the operating cost and friction of the controls, not for just today, but as we invest in transforming our security programs. 

As Wayne Gretzky once said, “A good hockey player plays where the puck is, a great hockey player plays where the puck is going to be”. Similarly, a good security team is managing where the business is today, whereas a great one is also managing where the business is going to be tomorrow.

author image
Nathan Smolenski
Nathan is an experienced CISO & risk management and tech leader with over 19 years across financial services, mgmt.. consulting, insurance, and software verticals.
Nathan is an experienced CISO & risk management and tech leader with over 19 years across financial services, mgmt.. consulting, insurance, and software verticals.

Stay informed!

Subscribe for the latest from the Netskope Blog