ネットスコープは2024年Gartner®社のセキュリティ・サービス・エッジ(SSE)のマジック・クアドラントでリーダーの1社として評価されました。 レポートを読む

閉める
閉める
  • Netskopeが選ばれる理由 シェブロン

    ネットワークとセキュリティの連携方法を変える。

  • 導入企業 シェブロン

    Netskope は世界中で 3,000 を超える顧客にサービスを提供しており、その中にはフォーチュン 100 企業の 25 以上が含まれます

  • パートナー シェブロン

    私たちはセキュリティリーダーと提携して、クラウドへの旅を保護します。

実行能力とビジョンの完全性において
最上位の評価

ネットスコープが2024年Gartner®社のセキュリティ・サービス・エッジ(SSE)のマジック・クアドラントで3年連続リーダーの1社として評価された理由をご覧ください。

レポートを読む
Netskope、2024年ガートナー®マジッククアドラント™セキュリティサービスエッジ部門でリーダーに選出 メニューのグラフィック
私たちは、お客様が何にでも備えることができるように支援します

お客様について
窓の外を見て微笑むメガネをかけた女性
Netskopeのパートナー中心の市場開拓戦略により、パートナーは企業のセキュリティを変革しながら、成長と収益性を最大化できます。

Netskope パートナーについて学ぶ
色々な若い専門家が集う笑顔のグループ
明日に向けたネットワーク

サポートするアプリケーションとユーザー向けに設計された、より高速で、より安全で、回復力のあるネットワークへの道を計画します。

ホワイトペーパーはこちら
明日に向けたネットワーク
Netskope One プラットフォームの紹介

Netskope One は、SASE とゼロトラスト変革を可能にする統合型セキュリティおよびネットワーキング サービスを提供するクラウドネイティブ プラットフォームです。

Netskope One について学ぶ
青い照明の抽象画
セキュアアクセスサービスエッジ(SASE)アーキテクチャの採用

Netskope NewEdgeは、世界最大かつ最高のパフォーマンスのセキュリティプライベートクラウドであり、比類のないサービスカバレッジ、パフォーマンス、および回復力を顧客に提供します。

NewEdgeの詳細
NewEdge
Netskope Cloud Exchange

Netskope Cloud Exchange (CE) は、セキュリティポスチャに対する投資を活用するための強力な統合ツールを提供します。

Cloud Exchangeについて学ぶ
Netskopeの動画
  • セキュリティサービスエッジ製品 シェブロン

    高度なクラウド対応の脅威から保護し、あらゆるベクトルにわたってデータを保護

  • Borderless SD-WAN シェブロン

    すべてのリモートユーザー、デバイス、サイト、クラウドへ安全で高性能なアクセスを提供

  • Secure Access Service Edge シェブロン

    Netskope One SASE は、クラウドネイティブで完全に統合された単一ベンダーの SASE ソリューションを提供します。

未来のプラットフォームはNetskopeです

インテリジェントセキュリティサービスエッジ(SSE)、クラウドアクセスセキュリティブローカー(CASB)、クラウドファイアウォール、セキュアウェブゲートウェイ(SWG)、およびZTNAのプライベートアクセスは、単一のソリューションにネイティブに組み込まれており、セキュアアクセスサービスエッジ(SASE)アーキテクチャへの道のりですべてのビジネスを支援します。

製品概要はこちら
Netskopeの動画
Next Gen SASE Branch はハイブリッドである:接続、保護、自動化

Netskope Next Gen SASE Branchは、コンテキストアウェアSASEファブリック、ゼロトラストハイブリッドセキュリティ、 SkopeAI-Powered Cloud Orchestrator を統合クラウド製品に統合し、ボーダレスエンタープライズ向けに完全に最新化されたブランチエクスペリエンスを実現します。

Next Gen SASE Branchの詳細はこちら
オープンスペースオフィスの様子
SASEアーキテクチャの設計 For Dummies

SASE設計について網羅した電子書籍を無償でダウンロード

電子書籍を入手する
最小の遅延と高い信頼性を備えた、市場をリードするクラウドセキュリティサービスに移行します。

NewEdgeの詳細
山腹のスイッチバックを通るライトアップされた高速道路
アプリケーションのアクセス制御、リアルタイムのユーザーコーチング、クラス最高のデータ保護により、生成型AIアプリケーションを安全に使用できるようにします。

生成AIの使用を保護する方法を学ぶ
ChatGPTと生成AIを安全に有効にする
SSEおよびSASE展開のためのゼロトラストソリューション

ゼロトラストについて学ぶ
大海原を走るボート
NetskopeがFedRAMPの高認証を達成

政府機関の変革を加速するには、Netskope GovCloud を選択してください。

Netskope GovCloud について学ぶ
Netskope GovCloud
  • リソース シェブロン

    クラウドへ安全に移行する上でNetskopeがどのように役立つかについての詳細は、以下をご覧ください。

  • ブログ シェブロン

    Netskope がセキュリティ サービス エッジ (SSE) を通じてセキュリティとネットワークの変革を実現する方法を学びます

  • イベント&ワークショップ シェブロン

    最新のセキュリティトレンドを先取りし、仲間とつながりましょう。

  • 定義されたセキュリティ シェブロン

    サイバーセキュリティ百科事典、知っておくべきすべてのこと

「セキュリティビジョナリー」ポッドキャスト

On Patents, Trolls, and Innovation
In this episode host Emily Wearmouth chats with Suzanne Oliver, an intellectual property expert, and Krishna Narayanaswamy, co-founder and CTO of Netskope, about the world of patents.

ポッドキャストを再生する
On Patents, Trolls, and Innovation
最新のブログ

Netskope がセキュリティ サービス エッジ (SSE) 機能を通じてゼロ トラストと SASE の導入をどのように実現できるかをご覧ください。

ブログを読む
日の出と曇り空
SASE Week 2023年:SASEの旅が今始まります!

第4回 SASE Weekのリプレイセッション。

セッションの詳細
SASE Week 2023
セキュリティサービスエッジとは

SASEのセキュリティ面、ネットワークとクラウドでの保護の未来を探ります。

セキュリティサービスエッジの詳細
4方向ラウンドアバウト
  • 会社概要 シェブロン

    クラウド、データ、ネットワークセキュリティの課題に対して一歩先を行くサポートを提供

  • リーダーシップ シェブロン

    Netskopeの経営陣はお客様を成功に導くために全力を尽くしています。

  • カスタマーソリューション シェブロン

    お客様の成功のために、Netskopeはあらゆるステップを支援いたします。

  • トレーニングと認定 シェブロン

    Netskopeのトレーニングで、クラウドセキュリティのスキルを学ぶ

データセキュリティによる持続可能性のサポート

Netskope は、持続可能性における民間企業の役割についての認識を高めることを目的としたイニシアチブである「ビジョン2045」に参加できることを誇りに思っています。

詳しくはこちら
データセキュリティによる持続可能性のサポート
思想家、建築家、夢想家、革新者。 一緒に、私たちはお客様がデータと人々を保護するのを助けるために最先端のクラウドセキュリティソリューションを提供します。

当社のチーム紹介
雪山を登るハイカーのグループ
Netskopeの有能で経験豊富なプロフェッショナルサービスチームは、実装を成功させるための規範的なアプローチを提供します。

プロフェッショナルサービスについて学ぶ
Netskopeプロフェッショナルサービス
Netskopeトレーニングで、デジタルトランスフォーメーションの旅を保護し、クラウド、ウェブ、プライベートアプリケーションを最大限に活用してください。

トレーニングと認定資格について学ぶ
働く若い専門家のグループ

A Return to the Scene of the Crime: The Messy Role of ROI in Security Technology

Mar 04 2020

“Why would I approve this kind of investment if you cannot articulate some kind of cost reduction, an opportunity for business enablement, or return associated with more efficiently managing my existing risk exposure?”

How many times, as practitioners, have we had these conversations? Whether it is a discussion about the inherent risk of certain business practices, or the associated investment costs in people, process, and technology aimed at managing said risk, practitioners are consistently challenged with providing some measurable way to communicate the intrinsic value of those investments. 

Our colleagues in business talk ROI, return on investment, frequently, as they have been long conditioned with the need to be able to demonstrate some kind of value or return on programs, investments, initiatives, and the like. Having an approach to clearly communicate “value” in the security and risk business is absolutely critical as well. It may often be overlooked, but the functions we run are businesses within the business. We ultimately provide services to our customers that enable our businesses to function within certain tolerances for established processes, while allowing them to transform and take more risk as they build new business models. 

So what is the problem? Essentially, we are struggling with the challenge of not being able to communicate in the same language. For example, there are simple and established ways for a CEO to determine a “return on investment” for something like a new office building. Predictive measures of the value of real estate investments and the capacity increases from more efficient equipment or a new facility are relatively straightforward and are ingrained into the fabric of business. 

In our business within the business, we really are only able to manage three things associated with our investments: the effectiveness of the investment in terms of managing or reducing risk, the total cost of ownership of a given investment, and the ability to advise on the transfer of said risk in some way (i.e. insurance, etc). The challenge most of us have encountered with these three factors is that we haven’t been really good at collecting the required data and doing the calculations needed to effectively make sense of them. This is evidenced by so many programs who have effectively taken broad brush approaches to apply controls where gaps or problems exist, resulting in many cases where a $500 risk has a $100,000,000 control applied to it. This creates friction with the consumers of our services, thus creating longer-term challenges for the justification of future investments. 

Total Cost of Ownership as a Starting Point?

One area in which we can actually put some solid empirical data around is the total cost of ownership (TCO) for the processes and supporting technologies that underpin the services we provide our customers. Most of us have spent a lot of time developing metrics around all of the activities we do in support of our businesses. This metric data, along with other publicly available information, can be used to drive us towards relatively accurate ownership costs for the services and technologies we invest in. 

Take, for example, the case for determining the people costs associated with the daily analysis of incident investigations. If I know that on average my response team is spending 20% of their day on investigation activities, that I have two dedicated resources on that team, and that the fully loaded resources cost $75 per hour, I can determine that this process, from a human capital perspective, consumes a little more than 800 man-hours per year to execute and costs our business around $60,000. If I then understand the inventory of all of the technology tools needed to run these processes, I can factor in the annual cost of the supporting technology and have a pretty accurate depiction of the cost of that service. Does this, however, get me to a place where I can communicate an actual ROI? Not quite. 

The Cost of Risk?

Bruce Schneier wrote a great article on this same topic for CSO back in September 2008 that has aged very well. As it pertains to the traditional approach of putting a dollar value on risk, he posits, “The classic methodology is called annualized loss expectancy (ALE), and it’s straightforward. Calculate the cost of a security incident in both tangibles like time and money and intangibles like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. That tells you how much you should spend to mitigate the risk.” 

This “probability x impact” approach has been the method we have all tried to implement in one way, shape, or form to get some semblance of a financial indicator of the cost of the risks that we have identified and are attempting to manage. The problem, as Bruce also points out, is that the resulting data outputs from these calculations essentially work against us when talking to business leadership, and are clouded by the lack of good data we have as inputs. 

For example, If the calculated cost of a given risk is $40,000 annually and the total cost of ownership of the people, process, and technology intent on better managing or reducing that risk is the $65,000 annually, imagine what the CFO is going to want to know. How accurate is our data on the factors that go into measuring impact (actual loss, reputation, etc.) and how accurate is our data in determining the actual probability? And, even if we all agree on those numbers, how the CFO interprets and chooses to ultimately enable you to invest can obviously be influenced by these, and many other factors. In speaking to many in the industry, as well as from my own experience as a practitioner, it is often the challenge of bridging the gap in understanding. If you do not understand your organization’s true risk tolerance levels financially, you could really be fighting an uphill battle. Imagine asking for an investment to reduce what you have calculated as $10M worth of risk due to a business process with lacking controls, but the CFO considers $110M as a rounding error? Do you think you are going to get the investment you need? 

Considerations for Better Outcomes

  • Make a concerted effort to inventory and organize all the services your business within a business delivers to its customers. Spend time calculating the total cost of ownership of all of those services to transparently communicate the labor and technology costs to the business. This will enable you to begin communicating with business leadership on terms they understand and will also enable you to prioritize the future evaluation of different technologies with the aim of either providing the same service at a lower cost or providing that service in a more effective manner from the perspective of reducing or managing risk. The ability to project these TCO calculations across a 3-5 year plan in the context of “cost of risk” and “cost of control” can be a game-changer for future program investment. 
  • Get the data. Spend time getting the data associated with the problems, risks, costs, or control deficiencies you are trying to solve for. Challenge your assertions and the data you are collecting. Do we truly have real and accurate data points that enable any relevant calculation of the cost of risk? Do we have better sources of data for understanding if our evaluation of probability is accurate? Have these conversations with your business partners and gain their insights to drive towards a more holistic and business-centric outcome. (We could spend all day on this topic alone!) 
  • Spend time understanding the organizational view on risk tolerance and where those financial thresholds exist to understand those limits and how they are managed. It will likely be very eye-opening to gain that insight and will allow you to better position the things you can accurately calculate or otherwise have better data on. This will help you avoid going to the CFO’s office with the wrong message or wrong analysis, enabling more informed decision making as you analyze priority. Is there more value in reducing the cost of an expensive control where the risk is low than just adding a new control? And does it make sense to just fund the new control with the savings from the other?
  • Avoid the “pie in the sky” vendor-calculated data analysis around ROI. They are even less prepared than you when it comes to understanding the context of your organization, the probability of a given event, or your operating costs. A true “partner” should be willing to sit down and understand your TCO, understand the services that you provide today, and be able to help you articulate the following:
    • How can the proposed technology investment reduce the operating cost of an existing process or service that I deliver? (i.e. like for like but cheaper / requiring less labor, etc.)
    • How can the proposed technology investment improve the effectiveness of an existing process or service that I deliver from a risk perspective? (i.e. improves the effectiveness of a specific overall control or provides a control/risk reduction opportunity that was not possible before, etc.)
    • How can the proposed technology investment provide for future enablement and/or future opportunities for risk reduction by “future-proofing” your architecture or control environment? Investing in building block capabilities that are aligned in projecting where your business is going as opposed to waiting for the business to identify “friction” or a use case that your current services do not cover. 
    • How can the proposed technology investment provide for enhanced or improved value from my existing investments? We’ve all heard that the value of the optimal individual on a team is one who makes everyone around them better. The same should be considered when investing in technology; how can this investment make all of my other investments better? (i.e. Can it help me address more use cases? Can it reduce my operational burden? Does it eliminate the need to build a manual integration between technologies? etc.)

Is ROI really dead? Not really. What we really are driving for are better outcomes from the services we offer to our customers; our business partners. Understanding the detailed operating costs for all of our technology investments, coupled with being able to measure the effectiveness of those processes and technologies to help manage risk, better positions us to speak the language of business. 

The real elements of ROI here are: establishing a clearer understanding of risk in our businesses (and influencing it), being able to provide transparency around the costs and effectiveness of the services we deliver to our customers, challenging our long-held assertions around probability vs impact in our environment with better data, and forcing ourselves to use all of this to reduce the operating cost and friction of the controls, not for just today, but as we invest in transforming our security programs. 

As Wayne Gretzky once said, “A good hockey player plays where the puck is, a great hockey player plays where the puck is going to be”. Similarly, a good security team is managing where the business is today, whereas a great one is also managing where the business is going to be tomorrow.

author image
Nathan Smolenski
Nathan is an experienced CISO & risk management and technology leader with over 19 years of experience across financial services, management consulting, insurance, and software industry verticals. He currently serves as Director, Head of Enterprise Security Strategy as a member of the global strategy team at Netskope, focused on digital transformation and the impacts on cybersecurity programs and strategies.

Stay informed!

Subscribe for the latest from the Netskope Blog