Netskope named a Leader in the 2022 Gartner® Magic Quadrant™ for Security Service Edge. Get the Report.

  • Products

    Netskope products are built on the Netskope Security Cloud.

  • Platform

    Unrivaled visibility and real-time data and threat protection on the world's largest security private cloud.

Netskope Named a Leader in the 2022 Gartner Magic Quadrant™ for SSE Report

Get the report Go to Products Overview
Netskope gartner mq 2022 sse leader

Netskope delivers a modern cloud security stack, with unified capabilities for data and threat protection, plus secure private access.

Explore our platform
Birds eye view metropolitan city

Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn more
Lighted highway through mountainside switchbacks

Prevent threats that often evade other security solutions using a single-pass SSE framework.

Learn more
Lighting storm over metropolitan area

Zero trust solutions for SSE and SASE deployments

Learn more
Boat driving through open sea

Netskope enables a safe, cloud-smart, and fast journey to adopt cloud services, apps, and public cloud infrastructure.

Learn more
Wind turbines along cliffside
  • Our Customers

    Netskope serves more than 2,000 customers worldwide including more than 25 of the Fortune 100

  • Customer Solutions

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification

    Netskope training will help you become a cloud security expert.

We help our customers to be Ready for Anything

See our Customers
Woman smiling with glasses looking out window

Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn more
Netskope Professional Services

Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn more
Group of young professionals working
  • Resources

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog

    Learn how Netskope enables security and networking transformation through security service edge (SSE).

  • Events & Workshops

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

Episode 15: Building Permanent Security Awareness

Play the podcast
Black man sitting in conference meeting

Read the latest on how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky

SASE Week

Netskope is positioned to help you begin your journey and discover where Security, Networking, and Zero Trust fit in the SASE world.

Learn more
SASE Week

What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn more
Four-way roundabout
  • Company

    We help you stay ahead of cloud, data, and network security challenges.

  • Why Netskope

    Cloud transformation and work from anywhere have changed how security needs to work.

  • Leadership

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Partners

    We partner with security leaders to help you secure your journey to the cloud.

Netskope enables the future of work.

Find out more
Curvy road through wooded area

Netskope is redefining cloud, data, and network security to help organizations apply Zero Trust principles to protect data.

Learn more
Switchback road atop a cliffside

Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain

Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn more
Group of diverse young professionals smiling

A Return to the Scene of the Crime: The Messy Role of ROI in Security Technology

Mar 04 2020

“Why would I approve this kind of investment if you cannot articulate some kind of cost reduction, an opportunity for business enablement, or return associated with more efficiently managing my existing risk exposure?”

How many times, as practitioners, have we had these conversations? Whether it is a discussion about the inherent risk of certain business practices, or the associated investment costs in people, process, and technology aimed at managing said risk, practitioners are consistently challenged with providing some measurable way to communicate the intrinsic value of those investments. 

Our colleagues in business talk ROI, return on investment, frequently, as they have been long conditioned with the need to be able to demonstrate some kind of value or return on programs, investments, initiatives, and the like. Having an approach to clearly communicate “value” in the security and risk business is absolutely critical as well. It may often be overlooked, but the functions we run are businesses within the business. We ultimately provide services to our customers that enable our businesses to function within certain tolerances for established processes, while allowing them to transform and take more risk as they build new business models. 

So what is the problem? Essentially, we are struggling with the challenge of not being able to communicate in the same language. For example, there are simple and established ways for a CEO to determine a “return on investment” for something like a new office building. Predictive measures of the value of real estate investments and the capacity increases from more efficient equipment or a new facility are relatively straightforward and are ingrained into the fabric of business. 

In our business within the business, we really are only able to manage three things associated with our investments: the effectiveness of the investment in terms of managing or reducing risk, the total cost of ownership of a given investment, and the ability to advise on the transfer of said risk in some way (i.e. insurance, etc). The challenge most of us have encountered with these three factors is that we haven’t been really good at collecting the required data and doing the calculations needed to effectively make sense of them. This is evidenced by so many programs who have effectively taken broad brush approaches to apply controls where gaps or problems exist, resulting in many cases where a $500 risk has a $100,000,000 control applied to it. This creates friction with the consumers of our services, thus creating longer-term challenges for the justification of future investments. 

Total Cost of Ownership as a Starting Point?

One area in which we can actually put some solid empirical data around is the total cost of ownership (TCO) for the processes and supporting technologies that underpin the services we provide our customers. Most of us have spent a lot of time developing metrics around all of the activities we do in support of our businesses. This metric data, along with other publicly available information, can be used to drive us towards relatively accurate ownership costs for the services and technologies we invest in. 

Take, for example, the case for determining the people costs associated with the daily analysis of incident investigations. If I know that on average my response team is spending 20% of their day on investigation activities, that I have two dedicated resources on that team, and that the fully loaded resources cost $75 per hour, I can determine that this process, from a human capital perspective, consumes a little more than 800 man-hours per year to execute and costs our business around $60,000. If I then understand the inventory of all of the technology tools needed to run these processes, I can factor in the annual cost of the supporting technology and have a pretty accurate depiction of the cost of that service. Does this, however, get me to a place where I can communicate an actual ROI? Not quite. 

The Cost of Risk?

Bruce Schneier wrote a great article on this same topic for CSO back in September 2008 that has aged very well. As it pertains to the traditional approach of putting a dollar value on risk, he posits, “The classic methodology is called annualized loss expectancy (ALE), and it’s straightforward. Calculate the cost of a security incident in both tangibles like time and money and intangibles like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. That tells you how much you should spend to mitigate the risk.” 

This “probability x impact” approach has been the method we have all tried to implement in one way, shape, or form to get some semblance of a financial indicator of the cost of the risks that we have identified and are attempting to manage. The problem, as Bruce also points out, is that the resulting data outputs from these calculations essentially work against us when talking to business leadership, and are clouded by the lack of good data we have as inputs. 

For example, If the calculated cost of a given risk is $40,000 annually and the total cost of ownership of the people, process, and technology intent on better managing or reducing that risk is the $65,000 annually, imagine what the CFO is going to want to know. How accurate is our data on the factors that go into measuring impact (actual loss, reputation, etc.) and how accurate is our data in determining the actual probability? And, even if we all agree on those numbers, how the CFO interprets and chooses to ultimately enable you to invest can obviously be influenced by these, and many other factors. In speaking to many in the industry, as well as from my own experience as a practitioner, it is often the challenge of bridging the gap in understanding. If you do not understand your organization’s true risk tolerance levels financially, you could really be fighting an uphill battle. Imagine asking for an investment to reduce what you have calculated as $10M worth of risk due to a business process with lacking controls, but the CFO considers $110M as a rounding error? Do you think you are going to get the investment you need? 

Considerations for Better Outcomes

  • Make a concerted effort to inventory and organize all the services your business within a business delivers to its customers. Spend time calculating the total cost of ownership of all of those services to transparently communicate the labor and technology costs to the business. This will enable you to begin communicating with business leadership on terms they understand and will also enable you to prioritize the future evaluation of different technologies with the aim of either providing the same service at a lower cost or providing that service in a more effective manner from the perspective of reducing or managing risk. The ability to project these TCO calculations across a 3-5 year plan in the context of “cost of risk” and “cost of control” can be a game-changer for future program investment. 
  • Get the data. Spend time getting the data associated with the problems, risks, costs, or control deficiencies you are trying to solve for. Challenge your assertions and the data you are collecting. Do we truly have real and accurate data points that enable any relevant calculation of the cost of risk? Do we have better sources of data for understanding if our evaluation of probability is accurate? Have these conversations with your business partners and gain their insights to drive towards a more holistic and business-centric outcome. (We could spend all day on this topic alone!) 
  • Spend time understanding the organizational view on risk tolerance and where those financial thresholds exist to understand those limits and how they are managed. It will likely be very eye-opening to gain that insight and will allow you to better position the things you can accurately calculate or otherwise have better data on. This will help you avoid going to the CFO’s office with the wrong message or wrong analysis, enabling more informed decision making as you analyze priority. Is there more value in reducing the cost of an expensive control where the risk is low than just adding a new control? And does it make sense to just fund the new control with the savings from the other?
  • Avoid the “pie in the sky” vendor-calculated data analysis around ROI. They are even less prepared than you when it comes to understanding the context of your organization, the probability of a given event, or your operating costs. A true “partner” should be willing to sit down and understand your TCO, understand the services that you provide today, and be able to help you articulate the following:
    • How can the proposed technology investment reduce the operating cost of an existing process or service that I deliver? (i.e. like for like but cheaper / requiring less labor, etc.)
    • How can the proposed technology investment improve the effectiveness of an existing process or service that I deliver from a risk perspective? (i.e. improves the effectiveness of a specific overall control or provides a control/risk reduction opportunity that was not possible before, etc.)
    • How can the proposed technology investment provide for future enablement and/or future opportunities for risk reduction by “future-proofing” your architecture or control environment? Investing in building block capabilities that are aligned in projecting where your business is going as opposed to waiting for the business to identify “friction” or a use case that your current services do not cover. 
    • How can the proposed technology investment provide for enhanced or improved value from my existing investments? We’ve all heard that the value of the optimal individual on a team is one who makes everyone around them better. The same should be considered when investing in technology; how can this investment make all of my other investments better? (i.e. Can it help me address more use cases? Can it reduce my operational burden? Does it eliminate the need to build a manual integration between technologies? etc.)

Is ROI really dead? Not really. What we really are driving for are better outcomes from the services we offer to our customers; our business partners. Understanding the detailed operating costs for all of our technology investments, coupled with being able to measure the effectiveness of those processes and technologies to help manage risk, better positions us to speak the language of business. 

The real elements of ROI here are: establishing a clearer understanding of risk in our businesses (and influencing it), being able to provide transparency around the costs and effectiveness of the services we deliver to our customers, challenging our long-held assertions around probability vs impact in our environment with better data, and forcing ourselves to use all of this to reduce the operating cost and friction of the controls, not for just today, but as we invest in transforming our security programs. 

As Wayne Gretzky once said, “A good hockey player plays where the puck is, a great hockey player plays where the puck is going to be”. Similarly, a good security team is managing where the business is today, whereas a great one is also managing where the business is going to be tomorrow.

author image
Nathan Smolenski
Nathan is an experienced CISO & risk management and technology leader with over 19 years of experience across financial services, management consulting, insurance, and software industry verticals. He currently serves as Director, Head of Enterprise Security Strategy as a member of the global strategy team at Netskope, focused on digital transformation and the impacts on cybersecurity programs and strategies.