Besuchen Sie uns beim SASE Summit von Netskope und kommen Sie in eine Stadt in Ihrer Nähe! Registrieren Sie sich jetzt.

  • Edge-Produkte von Security Service

    Schützen Sie sich vor fortgeschrittenen und cloudfähigen Bedrohungen und schützen Sie Daten über alle Vektoren hinweg.

  • Borderless SD-WAN

    Stellen Sie selbstbewusst sicheren, leistungsstarken Zugriff auf jeden Remote-Benutzer, jedes Gerät, jeden Standort und jede Cloud bereit.

  • Plattform

    Unübertroffene Transparenz und Daten- und Bedrohungsschutz in Echtzeit in der weltweit größten privaten Sicherheits-Cloud.

Die Plattform der Zukunft heißt Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG) und Private Access for ZTNA sind nativ in einer einzigen Lösung integriert, um jedes Unternehmen auf seinem Weg zum Secure Access Service zu unterstützen Edge (SASE)-Architektur.

Netskope Produktübersicht
Netskope-Video
Borderless SD-WAN: Der Beginn der neuen Ära des Borderless Enterprise

Netskope Borderless SD-WAN bietet eine Architektur, die Zero-Trust-Prinzipien und gesicherte Anwendungsleistung zusammenführt, um beispiellos sichere, leistungsstarke Konnektivität für jeden Standort, jede Cloud, jeden Remote-Benutzer und jedes IoT-Gerät bereitzustellen.

Read the article
Borderless SD-WAN
Netskope bietet einen modernen Cloud-Security-Stack mit vereinheitlichten Funktionen für Daten- und Bedrohungsschutz sowie sicherem privaten Zugriff.

Erkunden Sie unsere Plattform
Städtische Metropole aus der Vogelperspektive
Steigen Sie auf marktführende Cloud-Security Service mit minimaler Latenz und hoher Zuverlässigkeit um.

Mehr über NewEdge erfahren
Beleuchtete Schnellstraße mit Serpentinen durch die Berge
Ermöglichen Sie die sichere Nutzung generativer KI-Anwendungen mit Anwendungszugriffskontrolle, Benutzercoaching in Echtzeit und erstklassigem Datenschutz.

Erfahren Sie, wie wir den Einsatz generativer KI sichern
Safely Enable ChatGPT and Generative AI
Zero-Trust-Lösungen für SSE- und SASE-Deployments

Learn about Zero Trust
Bootsfahrt auf dem offenen Meer
Netskope ermöglicht einen sicheren, cloudintelligenten und schnellen Weg zur Einführung von Cloud-Diensten, Apps und Public-Cloud-Infrastrukturen.

Learn about Industry Solutions
Windkraftanlagen entlang einer Klippe
  • Unsere Kunden

    Netskope bedient mehr als 2.000 Kunden weltweit, darunter mehr als 25 der Fortune 100-Unternehmen

  • Kundenlösungen

    Wir sind für Sie da, stehen Ihnen bei jedem Schritt zur Seite und sorgen für Ihren Erfolg mit Netskope.

  • Schulung und Zertifizierung

    Netskope-Schulungen helfen Ihnen ein Experte für Cloud-Sicherheit zu werden.

Wir helfen unseren Kunden, auf alles vorbereitet zu sein

Sehen Sie sich unsere Kunden an
Lächelnde Frau mit Brille schaut aus dem Fenster
Das talentierte und erfahrene Professional Services-Team von Netskope bietet einen präskriptiven Ansatz für Ihre erfolgreiche Implementierung.

Learn about Professional Services
Netskope Professional Services
Mit Netskope-Schulungen können Sie Ihre digitale Transformation absichern und das Beste aus Ihrer Cloud, dem Web und Ihren privaten Anwendungen machen.

Learn about Training and Certifications
Gruppe junger Berufstätiger bei der Arbeit
  • Ressourcen

    Erfahren Sie mehr darüber, wie Netskope Ihnen helfen kann, Ihre Reise in die Cloud zu sichern.

  • Blog

    Erfahren Sie, wie Netskope die Sicherheits- und Netzwerktransformation durch Security Service Edge (SSE) ermöglicht.

  • Veranstaltungen& Workshops

    Bleiben Sie den neuesten Sicherheitstrends immer einen Schritt voraus und tauschen Sie sich mit Gleichgesinnten aus

  • Security Defined

    Finden Sie alles was Sie wissen müssen in unserer Cybersicherheits-Enzyklopädie.

Security Visionaries Podcast

Bonus-Episode 2: Der magische Quadrant für SSE und SASE richtig machen
Mike und Steve diskutieren den Gartner® Magic Quadrant™ für Security Service Edge (SSE), die Positionierung von Netskope und wie sich das aktuelle Wirtschaftsklima auf die SASE-Reise auswirken wird.

Podcast abspielen
Bonus-Episode 2: Der magische Quadrant für SSE und SASE richtig machen
Neueste Blogs

Wie Netskope die Zero-Trust- und SASE-Reise durch Security Service Edge (SSE)-Funktionen ermöglichen kann.

Den Blog lesen
Sonnenaufgang und bewölkter Himmel
Netskope AWS Immersion Day World Tour 2023

Netskope hat eine Vielzahl von praktischen Labors, Workshops, ausführlichen Webinaren und Demos entwickelt, um AWS-Kunden bei der Verwendung und Bereitstellung von Netskope-Produkten zu schulen und zu unterstützen.

Learn about AWS Immersion Day
AWS-Partner
Was ist Security Service Edge?

Entdecken Sie die Sicherheitselemente von SASE, die Zukunft des Netzwerks und der Security in der Cloud.

Learn about Security Service Edge
Kreisverkehr mit vier Straßen
  • Unternehmen

    Wir helfen Ihnen, den Herausforderungen der Cloud-, Daten- und Netzwerksicherheit einen Schritt voraus zu sein.

  • Warum Netskope?

    Cloud-Transformation und hybrides Arbeiten haben die Art und Weise verändert, wie Sicherheit umgesetzt werden muss.

  • Leadership

    Unser Leadership-Team ist fest entschlossen, alles zu tun, was nötig ist, damit unsere Kunden erfolgreich sind.

  • Partner

    Unsere Partnerschaften helfen Ihnen, Ihren Weg in die Cloud zu sichern.

Unterstützung der Nachhaltigkeit durch Datensicherheit

Netskope ist stolz darauf, an Vision 2045 teilzunehmen: einer Initiative, die darauf abzielt, das Bewusstsein für die Rolle der Privatwirtschaft bei der Nachhaltigkeit zu schärfen.

Finde mehr heraus
Supporting Sustainability Through Data Security
Am besten in der Ausführung. Am besten in Sachen Vision.

Im 2023 Gartner® Magic Quadrant™ für SSE wurde Netskope als führender Anbieter ausgezeichnet.

Report abrufen
Im 2023 Gartner® Magic Quadrant™ für SSE wurde Netskope als führender Anbieter ausgezeichnet.
Denker, Architekten, Träumer, Innovatoren. Gemeinsam liefern wir hochmoderne Cloud-Sicherheitslösungen, die unseren Kunden helfen, ihre Daten und Mitarbeiter zu schützen.

Lernen Sie unser Team kennen
Gruppe von Wanderern erklimmt einen verschneiten Berg
Die partnerorientierte Markteinführungsstrategie von Netskope ermöglicht es unseren Partnern, ihr Wachstum und ihre Rentabilität zu maximieren und gleichzeitig die Unternehmenssicherheit an neue Anforderungen anzupassen.

Learn about Netskope Partners
Gruppe junger, lächelnder Berufstätiger mit unterschiedlicher Herkunft

A Return to the Scene of the Crime: The Messy Role of ROI in Security Technology

Mar 04 2020

“Why would I approve this kind of investment if you cannot articulate some kind of cost reduction, an opportunity for business enablement, or return associated with more efficiently managing my existing risk exposure?”

How many times, as practitioners, have we had these conversations? Whether it is a discussion about the inherent risk of certain business practices, or the associated investment costs in people, process, and technology aimed at managing said risk, practitioners are consistently challenged with providing some measurable way to communicate the intrinsic value of those investments. 

Our colleagues in business talk ROI, return on investment, frequently, as they have been long conditioned with the need to be able to demonstrate some kind of value or return on programs, investments, initiatives, and the like. Having an approach to clearly communicate “value” in the security and risk business is absolutely critical as well. It may often be overlooked, but the functions we run are businesses within the business. We ultimately provide services to our customers that enable our businesses to function within certain tolerances for established processes, while allowing them to transform and take more risk as they build new business models. 

So what is the problem? Essentially, we are struggling with the challenge of not being able to communicate in the same language. For example, there are simple and established ways for a CEO to determine a “return on investment” for something like a new office building. Predictive measures of the value of real estate investments and the capacity increases from more efficient equipment or a new facility are relatively straightforward and are ingrained into the fabric of business. 

In our business within the business, we really are only able to manage three things associated with our investments: the effectiveness of the investment in terms of managing or reducing risk, the total cost of ownership of a given investment, and the ability to advise on the transfer of said risk in some way (i.e. insurance, etc). The challenge most of us have encountered with these three factors is that we haven’t been really good at collecting the required data and doing the calculations needed to effectively make sense of them. This is evidenced by so many programs who have effectively taken broad brush approaches to apply controls where gaps or problems exist, resulting in many cases where a $500 risk has a $100,000,000 control applied to it. This creates friction with the consumers of our services, thus creating longer-term challenges for the justification of future investments. 

Total Cost of Ownership as a Starting Point?

One area in which we can actually put some solid empirical data around is the total cost of ownership (TCO) for the processes and supporting technologies that underpin the services we provide our customers. Most of us have spent a lot of time developing metrics around all of the activities we do in support of our businesses. This metric data, along with other publicly available information, can be used to drive us towards relatively accurate ownership costs for the services and technologies we invest in. 

Take, for example, the case for determining the people costs associated with the daily analysis of incident investigations. If I know that on average my response team is spending 20% of their day on investigation activities, that I have two dedicated resources on that team, and that the fully loaded resources cost $75 per hour, I can determine that this process, from a human capital perspective, consumes a little more than 800 man-hours per year to execute and costs our business around $60,000. If I then understand the inventory of all of the technology tools needed to run these processes, I can factor in the annual cost of the supporting technology and have a pretty accurate depiction of the cost of that service. Does this, however, get me to a place where I can communicate an actual ROI? Not quite. 

The Cost of Risk?

Bruce Schneier wrote a great article on this same topic for CSO back in September 2008 that has aged very well. As it pertains to the traditional approach of putting a dollar value on risk, he posits, “The classic methodology is called annualized loss expectancy (ALE), and it’s straightforward. Calculate the cost of a security incident in both tangibles like time and money and intangibles like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. That tells you how much you should spend to mitigate the risk.” 

This “probability x impact” approach has been the method we have all tried to implement in one way, shape, or form to get some semblance of a financial indicator of the cost of the risks that we have identified and are attempting to manage. The problem, as Bruce also points out, is that the resulting data outputs from these calculations essentially work against us when talking to business leadership, and are clouded by the lack of good data we have as inputs. 

For example, If the calculated cost of a given risk is $40,000 annually and the total cost of ownership of the people, process, and technology intent on better managing or reducing that risk is the $65,000 annually, imagine what the CFO is going to want to know. How accurate is our data on the factors that go into measuring impact (actual loss, reputation, etc.) and how accurate is our data in determining the actual probability? And, even if we all agree on those numbers, how the CFO interprets and chooses to ultimately enable you to invest can obviously be influenced by these, and many other factors. In speaking to many in the industry, as well as from my own experience as a practitioner, it is often the challenge of bridging the gap in understanding. If you do not understand your organization’s true risk tolerance levels financially, you could really be fighting an uphill battle. Imagine asking for an investment to reduce what you have calculated as $10M worth of risk due to a business process with lacking controls, but the CFO considers $110M as a rounding error? Do you think you are going to get the investment you need? 

Considerations for Better Outcomes

  • Make a concerted effort to inventory and organize all the services your business within a business delivers to its customers. Spend time calculating the total cost of ownership of all of those services to transparently communicate the labor and technology costs to the business. This will enable you to begin communicating with business leadership on terms they understand and will also enable you to prioritize the future evaluation of different technologies with the aim of either providing the same service at a lower cost or providing that service in a more effective manner from the perspective of reducing or managing risk. The ability to project these TCO calculations across a 3-5 year plan in the context of “cost of risk” and “cost of control” can be a game-changer for future program investment. 
  • Get the data. Spend time getting the data associated with the problems, risks, costs, or control deficiencies you are trying to solve for. Challenge your assertions and the data you are collecting. Do we truly have real and accurate data points that enable any relevant calculation of the cost of risk? Do we have better sources of data for understanding if our evaluation of probability is accurate? Have these conversations with your business partners and gain their insights to drive towards a more holistic and business-centric outcome. (We could spend all day on this topic alone!) 
  • Spend time understanding the organizational view on risk tolerance and where those financial thresholds exist to understand those limits and how they are managed. It will likely be very eye-opening to gain that insight and will allow you to better position the things you can accurately calculate or otherwise have better data on. This will help you avoid going to the CFO’s office with the wrong message or wrong analysis, enabling more informed decision making as you analyze priority. Is there more value in reducing the cost of an expensive control where the risk is low than just adding a new control? And does it make sense to just fund the new control with the savings from the other?
  • Avoid the “pie in the sky” vendor-calculated data analysis around ROI. They are even less prepared than you when it comes to understanding the context of your organization, the probability of a given event, or your operating costs. A true “partner” should be willing to sit down and understand your TCO, understand the services that you provide today, and be able to help you articulate the following:
    • How can the proposed technology investment reduce the operating cost of an existing process or service that I deliver? (i.e. like for like but cheaper / requiring less labor, etc.)
    • How can the proposed technology investment improve the effectiveness of an existing process or service that I deliver from a risk perspective? (i.e. improves the effectiveness of a specific overall control or provides a control/risk reduction opportunity that was not possible before, etc.)
    • How can the proposed technology investment provide for future enablement and/or future opportunities for risk reduction by “future-proofing” your architecture or control environment? Investing in building block capabilities that are aligned in projecting where your business is going as opposed to waiting for the business to identify “friction” or a use case that your current services do not cover. 
    • How can the proposed technology investment provide for enhanced or improved value from my existing investments? We’ve all heard that the value of the optimal individual on a team is one who makes everyone around them better. The same should be considered when investing in technology; how can this investment make all of my other investments better? (i.e. Can it help me address more use cases? Can it reduce my operational burden? Does it eliminate the need to build a manual integration between technologies? etc.)

Is ROI really dead? Not really. What we really are driving for are better outcomes from the services we offer to our customers; our business partners. Understanding the detailed operating costs for all of our technology investments, coupled with being able to measure the effectiveness of those processes and technologies to help manage risk, better positions us to speak the language of business. 

The real elements of ROI here are: establishing a clearer understanding of risk in our businesses (and influencing it), being able to provide transparency around the costs and effectiveness of the services we deliver to our customers, challenging our long-held assertions around probability vs impact in our environment with better data, and forcing ourselves to use all of this to reduce the operating cost and friction of the controls, not for just today, but as we invest in transforming our security programs. 

As Wayne Gretzky once said, “A good hockey player plays where the puck is, a great hockey player plays where the puck is going to be”. Similarly, a good security team is managing where the business is today, whereas a great one is also managing where the business is going to be tomorrow.

author image
Nathan Smolenski
Nathan is an experienced CISO & risk management and technology leader with over 19 years of experience across financial services, management consulting, insurance, and software industry verticals. He currently serves as Director, Head of Enterprise Security Strategy as a member of the global strategy team at Netskope, focused on digital transformation and the impacts on cybersecurity programs and strategies.