The Total Economic Impact Of SecureWorks Managed Security Services

Transcription

1 Prepared for SecureWorks September 2006 The Total Economic Impact Of SecureWorks Managed Security Services Project Director: Jeffrey North, Senior Consultant

2 TABLE OF CONTENTS Executive Summary...4 Purpose...5 Methodology...5 Approach...5 Key Findings...5 Disclosures...6 MSS: Overview...7 Services...7 Infrastructure...8 Analysis...9 Interview Highlights...9 TEI Framework...10 Introduction...10 Framework Assumptions...10 Costs...10 Managed Security Services Fees...10 Internal Labor For MSS Administration...11 Total Costs...11 Benefits...11 Costs Avoided: In-House Security Team...12 Costs Avoided: Security Software And Hardware...12 Lowering The Risk Of Loss From Security Breaches...13 Total Benefits

3 Risk...14 Flexibility...18 TEI Framework: Summary...18 Study Conclusions...19 Appendix A: Total Economic Impact Overview...20 Benefits...20 Costs...20 Risk...20 Flexibility...20 Appendix B: Glossary...21 A Note On Cash Flow Tables...21 Appendix C: About The Project Manager...22 Appendix D: Endnotes , Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, Forrester's Ultimate Consumer Panel, WholeView 2, Technographics, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Forrester clients may make one attributed copy or slide of each figure contained herein. Additional reproduction is strictly prohibited. For additional reproduction rights and usage information, go to Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. 3

4 Executive Summary In September 2006, SecureWorks commissioned Forrester Consulting to examine the total economic impact and potential return on investment (ROI) enterprises may realize by engaging SecureWorks Managed Security Services (MSS). SecureWorks, the leading pure-play MSSP with over 1,500 clients and 5,000 devices managed and monitored around the world, enables organizations to protect their critical information assets from digitally borne threats and vulnerabilities through its managed security and consulting services. SecureWorks services deliver an enhanced security program, improved compliance, greater operations efficiency, and reduced security program costs. SecureWorks services include: Security information and event management Security event/log monitoring and analysis Network intrusion prevention Intrusion detection system management Firewall management Host intrusion prevention management Vulnerability assessment Threat intelligence Encrypted Professional services The customer profiled in this case study is a multibillion dollar international media company that owns newspapers, television stations, and Web sites in the United States and abroad. This customer utilizes SecureWorks Intrusion Detection System (IDS) management and security event/ log monitoring and analysis services. In conducting in-depth interviews with the client, Forrester found that this company significantly improved its security posture while avoiding the cost of staffing a full internal security team to provide the necessary defenses and expertise to protect this decentralized group of owned newspapers, television stations, and other media properties. Further, by relying on SecureWorks services, the customer s internal security team has evolved from a largely IT function to being a critical business function, concentrating on security strategy issues and business risk. Forrester calculated that this client achieved a return on investment (ROI) of 267% with a payback period of just several weeks. 4

5 Purpose The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of SecureWorks' MSS on their organizations. Forrester aims to demonstrate all calculations and assumptions used in the analysis. Readers should use this study to better understand and communicate a business case for investing in SecureWorks' MSS. Forrester has constructed a financial framework to examine the benefits, costs, risks, and flexibility options, and Forrester uses the client interviews to validate these elements. The case study contents and analyses are driven by the information provided by SecureWorks client. Methodology SecureWorks selected Forrester for this project because of Forrester s industry expertise in enterprise security technologies and threat management and Forrester s Total Economic Impact (TEI) methodology. TEI not only measures costs and cost reduction (areas that are typically accounted for within IT) but also weighs the enabling value of a technology in increasing the effectiveness of overall business processes. For this study, Forrester employed four fundamental elements of TEI in modeling MSS: 1. Costs 2. Benefits to the entire organization 3. Risk 4. Flexibility Given the increasing sophistication that enterprises have regarding cost analyses related to IT investments, Forrester s TEI methodology serves a useful purpose by providing a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology. Approach Forrester used a four-step approach for this study: 1. Forrester gathered data from existing Forrester research relevant to security and threat management. 2. Forrester interviewed SecureWorks marketing and product development personnel to fully understand the value proposition of MSS solutions. 3. Forrester conducted a series of in-depth interviews with an enterprise client that has engaged MSS. 4. Forrester constructed a financial model representative of the interviews, which are described in the TEI Framework section below. Key Findings Forrester s study yielded the following key findings: 5

6 ROI. Based on the interviews with an existing client, Forrester constructed a TEI framework and the associated ROI analysis illustrating the financial impact areas. As seen in Table 1, the risk-adjusted ROI for this company s engagement of MSS is 267% with a breakeven point (payback period) of just weeks after the deployment of SecureWorks' services. Benefits. The main benefit to this client has been the improved security posture and reduction in risk from digital threats resulting from engaging a highly qualified team of certified experts, obviating the cost and hiring and retention challenges of maintaining those capabilities in-house. Forrester conservatively estimated the value of these benefits at $1.2 million per year. Costs. The main costs for this implementation are services fees of approximately $306,000 per year. Table 1 illustrates the risk-adjusted cash flow for the client organization based on data and characteristics obtained during the interview process. Forrester risk-adjusts these values to take into account the potential uncertainty that exists in estimating the costs and benefits of a technology investment. The risk-adjusted value is meant to provide a conservative estimate, incorporating any potential risk factors that may later affect the original cost and benefit estimates. For a more indepth explanation of risk and risk adjustments used in this study, please see the Risk section. Table 1: Three Year ROI, Original And Risk-Adjusted Summary Financial Results Original Estimate Risk- Adjusted ROI 288% 267% Payback period (months) Total costs (PV) $850,495 $850,495 Total benefits (PV) $3,302,292 $3,124,067 Total (NPV) $2,451,796 $2,273,572 Disclosures The reader should be aware of the following: The study is commissioned by SecureWorks and delivered by the Forrester Consulting group. SecureWorks reviewed and provided feedback to Forrester, but Forrester maintained editorial control over the study and its findings. SecureWorks provided the names of customer organizations for the interviews. Forrester makes no assumptions as to the potential return on investment that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the report to determine the ROI of an investment in MSS. This study is not meant to be used as a competitive product analysis. 6

7 MSS: Overview According to SecureWorks, the company s suite of information security services delivers real-time protection and improved compliance to organizations of any size. The company s Managed Security Services (MSS) provides 24x7x365 security expertise, security event/log monitoring and analysis and security reporting. The company s consulting services provide enterprises with expert insight and advice to help them achieve their security objectives and comply with industry regulations. Below is a description of these services. Services Security Event/Log Monitoring and Analysis provides the real-time security event monitoring, correlation, and analysis of the security infrastructure and critical system logs to protect clients from known and unknown threats. Log Monitoring and Analysis enhances the security posture, improves operational efficiency, and reduces the costs associated with implementing a real-time, comprehensive security monitoring strategy. Security Information Event Management is the industry s first on-demand Security Information and Event Management (SIEM) solution. The SIEM service enables enterprises to attain all the benefits of this technology without the drawbacks associated with implementing a software solution. SecureWorks SIEM service is implemented rapidly and is delivered in-the-cloud, allowing enterprises to immediately begin analyzing and reporting on security event activity while eliminating the maintenance burden. Network Intrusion Prevention (IPS) stops targeted and random attacks by inspecting network traffic for malicious code or unusual patterns and blocking attempted attacks in real-time. The service leverages SecureWorks award-winning isensor IPS or other market leading appliances to perform deep packet inspection on all traffic traversing an organization s network. A team of security analysts monitors the IPS infrastructure 24x7 for new attack types, unusual patterns, and configuration changes to prevent malicious activity from harming critical information assets. Intrusion Detection System Management provides around-the-clock monitoring and full life cycle management of intrusion detection systems (IDS). This service provides an organization with increased protection against rapidly emerging threats, insider attacks, and other incidents affecting the environment, while eliminating the maintenance burden associated with implementing IDS technology. Firewall Management provides 24x7x365 total life cycle management and monitoring for optimum firewall security, availability, and performance. This service includes unlimited rule-set changes, expert policy auditing, and monitoring of the firewall logs to detect unknown threats in real-time. Firewall Management, as well as Intrusion Detection/Prevention System (IDS/IPS) Management, is delivered in either a co-managed fashion where clients maintain ownership and administrative privileges across their environment or as a fully managed solution where SecureWorks maintains control over their infrastructure. Host Intrusion Prevention provides an application firewall to ensure that the application is doing only what it is supposed to be doing. When encrypted traffic is received and decrypted by the operating system on the host machine, the HIPS agent intercepts instructions prior to reaching the application to prevent malicious activity. Threat Intelligence provides early warnings to emerging threats and actionable security intelligence tailored to a client s environment. SecureWorks research team is recognized by the industry as being first-to-market with emerging threats. The team leverages SecureWorks global monitoring footprint, as well as external sources to identify emerging threats. The team will then 7

8 issue an analysis of the threat, including remediation instructions, while taking action to protect clients by creating and deploying IDS/IPS signatures. Vulnerability Assessment provides an efficient solution to discover enterprise-wide assets, vulnerabilities (like out-of-date software, misconfigured applications and operating systems) residing on those assets and prioritize remediation efforts. The Vulnerability Assessment service removes the complexity of implementing a software-based solution, enabling organizations to quickly attain the information they need to fortify their environment. Encryption uses sophisticated lexicons to find confidential information or profanity that may not be appropriate for corporate communications. s are then automatically encrypted (or blocked or escalated) and are safely sent on to the intended recipients - with no action required by users. Recipients can easily open and decrypt s without the need for complicated and expensive certificates. Professional Services provide clients with an expert team of consultants to help them meet their security objectives. SecureWorks offers a wide range of services, including network assessments, Web application assessments, penetration tests, anti-phishing and compliance gap analyses. Infrastructure SecureWorks Secure Operation Centers. SecureWorks has Secure Operation Centers (SOC) located in Atlanta, GA, Myrtle Beach, SC., and Chicago, IL. These centers are fully redundant and provide seamless failover in case of emergency. SecureWorks SOCs are staffed by an expert team of Intrusion Analysts, who hold a variety of certifications including the SANS Institute Global Information Assurance Certification (GIAC) Intrusion Analyst and have an average of 3 and a half years experience as analysts. These experts have identified and handled thousands of critical threats for SecureWorks clients. Clients receive unlimited consultation with this team for on-demand security expertise to address any issue clients are facing. Also residing at the SOCs are SecureWorks industry-recognized team of security researchers. This team identifies and analyzes emerging threats to evaluate the risk that they pose to client environments and develop countermeasures to protect clients critical information assets. This team frequently serves as security sources for the media, publishes dozens of technical analyses to the security community, and speaks about emerging threats at many security conferences. SecureWorks Security Event Management Platform. The SecureWorks Security Event Management Platform was purpose-built to deliver superior log monitoring and analysis. The Platform aggregates and correlates alerts and log entries from almost any security device and critical information asset to identify known and unknown threats in real time. The Platform is highly scalable and currently processes billions of alerts and logs daily from SecureWorks clients to present analysts with actionable information they can use to stop attacks before damage is done. The Platform integrates events, scanning, intelligence, and asset criticality information to provide the total attack context. With this information in hand, analysts can quickly begin working with the client to prevent the threat before damage is done. Additionally, SecureWorks is the only provider that can remotely eradicate malware that is identified in a client s environment using its Web-based Paramedic technology. The Platform s advanced analysis and response capabilities enable SecureWorks to handle thousands of incidents on behalf of their clients. SecureWorks Client Interface is the industry s leading client portal and provides security teams with real-time enterprise-wide security and service delivery visibility. This secure, Web-based client 8

9 interface enables clients to measure the effectiveness of their security using robust, asset-based reporting. Using the interface, clients can view high-level and technical reports as well as conduct trending and comparative analyses. Additionally, the Client Interface enables faster remediation of security issues by correlating event, scanning, and intelligence data with asset criticality information to present client security teams with a prioritized view of their security issues. The Interface also provides secure communication between clients and SecureWorks analysts to address any issues. Analysis As stated in the Executive Summary, Forrester took a multi-step approach to evaluate the impact that implementing MSS can have on an organization: Interviews with SecureWorks marketing and technical personnel. In-depth interviews with the client s security executives, managers, and analysts. Review and analysis with a Forrester analyst whose focus includes enterprise security and other relevant technology. Construction of a financial framework around the implementation of SecureWorks' MSS. Interview Highlights The client profiled in this case study is a large, diversified media company based in the US, with operations in half a dozen countries. This multibillion dollar company employs thousands of people worldwide and has an extensive online presence. In 2002, this client engaged SecureWorks MSS for intrusion detection system (IDS) management, which includes security event monitoring for the managed devices and security event/log monitoring and analysis for all firewalls and other non-managed devices. All of SecureWorks services are delivered under one premium SLA level that includes device co-management, unlimited access to SecureWorks analysts, no limits on device changes, and no additional charges beyond the monthly service. The interviews with the client revealed that: The client s operating environment is highly decentralized, encompassing more than 100 locations in most of the United States and abroad. SecureWorks MSS functions like an extension of the client s security team in a comanaged arrangement where SecureWorks operatives perform the 24x7 monitoring, but in the event of an incident, the client retains much of the responsibility for remediation with unlimited assistance from SecureWorks. Prior to engaging SecureWorks' MSS, the client s security program was characterized by: o o o Very little monitoring of an extensive Web environment (scores of sites for their media properties). Little ability to identify where and when security compromises had occurred. Limited ability to either locate the source of attacks or close holes in the company s network and minimal overall visibility. 9

10 The client estimated that MSS serves in place of seven to 10 staff that would otherwise be required to staff a full internal security team to perform the monitoring and device management. The client stated that even with such a team, it would not be able match the level of detail and expertise provided by SecureWorks MSS. The client s environment includes 20 managed IDS devices, six monitored firewalls, and 14 monitored routers and servers. TEI Framework Introduction From the information provided in the in-depth interviews, Forrester has constructed a TEI framework for those organizations considering implementing SecureWorks' MSS. The objective of the framework is to identify the cost, benefit, risk factors, and flexibility associated with the investment. Framework Assumptions Table 2 lists the discount rate used in the present value (PV) and net present value (NPV) calculations and time horizon used for the financial modeling. Table 2: General Assumptions General assumptions Value Discount rate 10% Length of analysis Three years Organizations typically use discount rates between 8% and 16%, based on their current environment. Readers are urged to consult with their finance department to determine the most appropriate discount rate to use within their own organization. Costs The key cost categories associated with SecureWorks' MSS are service fees for: 1) intrusion detection system (IDS) management, and 2) security event/log monitoring and analysis for all firewalls and IDSs, servers, and routers. The project is measured on a three-year basis. The following are the cost inputs to the financial analysis. Managed Security Services Fees The client engaged services from SecureWorks at a cost of $25,500 per month or $306,000 annually. The fees encompassed 20 managed IDS devices, 6 monitored firewalls, and 14 monitored routers and servers. In addition, there is a startup charge equal to one month of services or $25,

11 Internal Labor For MSS Administration The average MSS outsourcing agreement requires 4% to 8% of the total contract value dedicated to management and governance. 1 This requires executives to dedicate people and processes to support a model that meets the aims of the MSS. Using the midpoint of 6%, Forrester assumes that the client s internal labor cost is $18,720 per year. Total Costs Table 3 summarizes the costs of engaging MSS, including internal labor costs. Table 3: Total Costs Costs Initial Year 1 Year 2 Year 3 Total Present value Services fees $25,500 $306,000 $306,000 $306,000 $943,500 $786,477 Administrative costs for MSS 18,360 18,360 18,360 18,360 73,440 64,019 Total $43,860 $324,360 $324,360 $324,360 $1,016,940 $850,495 Benefits What we find most valuable, first and foremost, is the expertise of the SecureWorks staff. They have shown time and again that they are experts in the security space. That kind of capability is something that our company will not go after as a core skill, but we understand that we require that skill within our core. Client s Director of Operations & Infrastructure Services A recent Forrester survey of security decision-makers showed that almost half of the 146 respondents would consider outsourcing at least some of their security functions to a managed security service provider. 2 According to the client interviewed for this case study, the results of engaging with SecureWorks have been improved security posture, at lower cost and with better execution than would be the case with an in-house team. Access to skills. The client cited the expertise of the SecureWorks staff as the top benefit of engaging their MSS. Recruiting and training security staff is challenging and costly and the expertise has a limited shelf life unless it can be reinvigorated by, for example, job rotation and continuous professional development. In particularly specialized areas, like digital forensics, the expertise often simply doesn t exist in-house to perform tasks properly. Retaining full-time employees to perform these services is costly and challenging, yet organizations need to know they can access the expertise when they need it. With MSS, experienced, certified experts conduct the event monitoring instead of lower-level in-house staff. And the client is engaging the services of an organization that stays current on a continuous learning curve. Cost savings. In some cases, like firewall or intrusion detection monitoring or management, the tasks can be laborious and time-consuming, and clients want a service provider to do the job for less than the cost to perform the work in-house. Staying current on new risks and the latest threat research is a challenge for any in-house security team. Information on new threats comes from many disparate sources. Spreading the cost and benefit of this research across multiple clients enables SecureWorks to provide better intelligence at a lower cost compared to the resources that would be required of any single 11

12 client s in-house efforts to collect, organize, catalog, and understand the relevance of the data. Better execution. Organizations can often benefit from the service provider s investment in shared infrastructure. For example, SecureWorks can invest in developing advanced correlation technology that would be prohibitively expensive for any single-user organization. Moreover, the service provider can use knowledge and experience gained from one client to identify and mitigate prevailing threats at another. Further, security monitoring is continuous rather than periodic. The client receives earlier warnings of emerging threats and faster remediation when attacks do occur. The average time to response (the time from when the first event was detected to analysis completion/incident escalation) is 6 minutes. Average time to remediation (from incident escalation until the threat is eradicated and incident is closed) is 20 minutes. Additionally, with the SecureWorks Client Interface, real-time reports are available on demand (rather than manually generated) for auditing and management reporting. The combination of SecureWorks security monitoring technology, operated by skilled people and supported by mature incident handling processes, will enhance an enterprise's security posture and lead to more effective information security. Effective incident handling processes will limit the amount of exposure time to attacks and resulting damage from those attacks, enable the enterprise to comply with various industry regulations, and lead to more successful audits. Costs Avoided: In-House Security Team Interviews with the client revealed that in order to approximate the security services provided by SecureWorks MSS, the client would need between seven and 10 highly-trained employees (probably closer to 10) to perform the same work. Yet, given the challenges of recruiting and retaining such staff, the client expressed doubt that the full value of MSS could be replicated. Table 4: Costs Avoided: In-House Security Ref. Metric Calculation Per period A1 Number of employees 9 A2 Fully loaded annual compensation per employee $ 125,000 Year 2 Year 3 Total At Cost of internal security team A1*A2 $1,125,000 $1,125,000 $1,125,000 $3,375,000 Costs Avoided: Security Software And Hardware Other assets needed to replicate the security services provided by a managed security service include security information management (SIM) software (and maintenance) and the hardware on which to run it. Forrester estimates the software cost at $80,000. Maintenance, hardware and database server software add $70,000 for a total benefit in avoided cost of $150,

13 Table 5: Software And Hardware Costs Avoided Ref. Metric Calculation Year 1 Year 2 Year 3 Total A1 SIM software $80,000 $16,000 $16,000 $112,000 A2 Servers (2) 2 * $5,000 10,000 10,000 A3 Database (4-processors) 4 * $5,000 20,000 4,000 4,000 28,000 At SIM software and hardware cost avoidance A1+A2+A3 $110,000 $20,000 $20,000 $150,000 Lowering The Risk Of Loss From Security Breaches Risk of losses from external and internal incidents is very significant, as evidenced by several highprofile cases and many smaller ones. SecureWorks' MSS reduces this risk by providing expert services described above. The generally accepted method of valuing this risk is to look at an amount of a potential loss, assume a frequency of a loss, and estimate a probability for incurring the loss. Forrester conservatively estimates that this client could face a $3 million loss annually, a figure that includes not only the cost of information loss and brand equity, but also the time required by the company s staff to remediate the issue and get systems back to fully operational. Further assuming the probability of a loss of that amount is 5%, the resulting avoided cost amount equals $150,000 annually, as shown in Table 6. Users of this study are encouraged to use this method with their own assumptions for potential penalty amounts, frequency, and probability. A more comprehensive, expanded method for this calculation using ranges of probabilities and exposures is described in the Risk section below. Table 6: Lower Risk Of Security Loss Ref. Metric Calculation Per period A1 Potential exposure $3,000,000 Year 2 Year 3 Total A2 Reduced probability of loss 5.0% At Cost avoidance: reduced risk of loss from security breach A1*A2 $150,000 $150,000 $150,000 $450,000 13

14 Total Benefits Table 7 summarizes the benefits described by the client in both the finance and IT departments. Table 7: Total Benefits Benefits Initial Year 1 Year 2 Year 3 Total Cost of internal security team Cost avoidance: Reduced risk of loss from security breach - Orig SIM software and hardware cost avoidance Present Value $1,125,000 $1,125,000 $1,125,000 $3,375,000 $2,797, , , , , , ,000 20,000 20, , ,555 Total $1,385,000 $1,295,000 $1,295,000 $3,975,000 $3,302,292 Risk Risk is the third major component within the TEI model; it is used as a filter to capture the uncertainty surrounding different cost and benefit estimates. If a risk-adjusted ROI demonstrates a compelling business case, it raises confidence that the investment is likely to succeed because the risks that threaten the project have been considered and quantified. The risk-adjusted numbers are the pressure-tested expectations. In general, risks affect costs by raising the original estimates and affect benefits by reducing the original estimates. For the purpose of this analysis, Forrester risk-adjusts cost and benefit estimates to better reflect the level of uncertainty that exists for each estimate. The variability is captured as part of this study. The TEI model uses a triangular distribution method to calculate risk-adjusted values. To construct the distribution, it is necessary to first estimate the low, most likely, and high values that could occur within the current environment. The risk-adjusted value is the mean of those points. For example, in the case of the administrative cost or internal labor that needs to be dedicated to managing MSS as described above, Forrester assumes that this cost ranges from 4% to 8% of the overall service contract amount, which is equivalent to a range of $12,240 and $24,480 per year. Forrester assumes that 6%, or $18,360, is the most likely or expected value. On the benefits side, looking at the avoided cost of fielding a full in-house security team, Forrester believes that the number required staff ranges from seven to 10, with nine the most likely number. This range provides the low, high and most likely values, respectively. Forrester then creates a triangular distribution to reflect the range of expected costs, with 8.67 staff as the mean. Forrester multiplies this mean by the fully loaded annual compensation cost of $125,000 to arrive at a risk-adjusted value of $1,083,333 per year or $3,250,000 over three years. This method has the effect of increasing the cost estimates to take into account the fact that original cost estimates are more likely to be revised upward than downward, while it has the opposite effect on benefits risk adjustments for benefits reduce the original benefits estimates resulting in a conservative filter for financial assumptions. Costs The following assumptions have been used to calculate the low, most likely, high, and mean cost and benefit amounts. 14

15 Cost Of MSS Services Forrester assumes this amount has been determined by contract, so no risk adjustment is applied. Administrative Costs The low, most likely, and high estimates for internal labor costs are set at 4%, 6%, and 8%, respectively, producing a mean of 6% of the cost of MSS services. The calculation for the amounts in the table below is: [% of contract cost] * [contract size] * [3 years]; for example the most likely amount is calculated as follows: 6% * $306,000 * 3. Table 8: Risk-Adjusted Administrative Costs Ref. Metric Calculation Per period A1 Professional services fees $306,000 Variable low 4% A2 % of contract value 6% Variable high 8% Equation low 4% * A1 $12,240 Year 1 Year 2 Year 3 Total At Administrative costs 6% * A1 $18,360 Equation high 8% * A1 $24,480 Atr Total (risk-adjusted) $18,360 $18,360 $18,360 $18,360 $73,440 The three-year risk adjusted costs and their present values are summarized in Table 9 below. Table 9: Risk Adjustment Costs Risk adjustment costs Low Most likely High Mean Present value Services fees $943,500 $943,500 $943,500 $943,500 $786,477 Administrative costs 48,960 73,440 97,920 73,440 64,019 Total $992,460 $1,016,940 $1,041,420 $1,016,940 $850,495 Benefits The following assumptions have been used to calculate the low, most likely, high and mean benefits amounts shown in Table 13. Costs Avoided: In-House Security Team The low, most likely, and high estimates for the internal labor costs that would be required to maintain an in-house security team are assumed to be seven, nine, and 10 FTEs, respectively. These assumptions are multiplied by the $125,000 fully-loaded annual compensation cost. The riskadjusted value is the average of these or $1,083,333 per year. The calculations are shown in Table 10 below. 15

16 Table 10: Risk Adjustment Cost Avoided Of In-House Security Ref. Metric Calculation Per period Year 2 Year 3 Total Variable low 7 A1 Number of FTEs 9 Variable high 10 A2 Yearly rate per FTE $125,000 Atl Equation low $875,000 At Cost of internal security team A1 * A2 $1,125,000 Ath Equation high $1,250,000 Atr Total (risk-adjusted) Average (Atl, At, Ath) $1,083,333 $1,083,333 $1,083,333 $3,250,000 Costs Avoided: SIM Software Table 11 presents the low, most likely, and high estimates for the SIM software and hardware. Table 11: Risk Adjustment Cost Avoided Of In-House Security Ref. Metric Calculation Year 1 Year 2 Year 3 Total Variable Low $60,000 $12,000 $12,000 $84,000 A1 SIM software / maintenance 80,000 16,000 16, ,000 Variable High 100,000 20,000 20, ,000 A2 Servers (2) 2 * $5,000 10,000 10,000 A3 Database (4- processors) / 4 * $5,000 20,000 4,000 4,000 28,000 maintenance Equation Low 90,000 16,000 16, ,000 At SIM software, hardware cost avoidance A1+A2+A3 110,000 20,000 20, ,000 Atr Equation High Total (risk adjusted) Average (Atl, At, Ath) 130,000 24,000 24, ,000 $110,000 $20,000 $20,000 $150,000 Lowering The Risk Of Loss Due To Security Breaches Forrester conservatively estimates that this client could face a $3 million loss annually. Further assuming that MSS reduces the probability of a loss of that amount by 5%, the resulting avoided 16

17 cost amount equals $150,000 annually. Expanding on this method, Forrester uses a range of probabilities and exposures as shown in Table 12. For the low assumption, Forrester sets the amount of loss at $100,000, with a reduction in the annual likelihood of loss of 10%. On the high side, the customer could face a loss as large as $10 million, yet the overall probability of a loss this large is lower, and the reduction in that probability is assumed to be 2%. Using the triangular distribution method described above, the risk-adjusted cost avoidance is calculated to be $120,000 annually. Users of this study are encouraged to use this method with their own assumptions for potential penalty amounts, frequency, and probability. Table 12: Risk Adjustment Lower Risk Of Loss Due To Security Breaches Ref. Metric Calculation Per Period Year 2 Year 3 Total Potential exposure - low $100,000 A1 Potential exposure - orig $3,000,000 Potential exposure - high $10,000,000 Reduced probability of losslow 10% A2 Reduced probability of loss - orig 5% Reduced probability of loss - high 2% Equation low $10,000 At Cost avoidance: Reduced risk of loss from security breach - orig A1*A2 $150,000 Atr Equation high $200,000 Total (risk adjusted) Average (Atl, At, Ath) $120,000 $120,000 $120,000 $360,000 The risk-adjusted benefits over three years and their present values are summarized in Table 13 below. Table 13: Risk Adjustment Benefits Risk adjustment benefits Low Most likely High Mean Present value Cost of internal security team $2,625,000 $3,375,000 $3,750,000 $3,250,000 $2,694,090 Cost avoidance: reduced risk of loss from security breach $30,000 $450,000 $600,000 $360,000 $298,422 SIM software and hardware cost avoidance $90,000 $110,000 $130,000 $110,000 $100,000 Total $2,745,000 $3,935,000 $4,480,000 $3,720,000 $3,092,512 17

18 Flexibility Flexibility, as defined by Forrester s TEI methodology, represents an investment in additional capacity or agility today that can be turned into future business benefits at some additional cost. Flexibility benefits typically increase with the scalability of the technology investment. This provides an organization with the right or the ability to engage in future initiatives but not the obligation to do so. In the case of SecureWorks' MSS, there are multiple scenarios in which a client might choose to implement the one set of services and decide at a later date to engage additional service levels of custom consulting. Quantifying the flexibility in this case, using the financial industry standard Black-Scholes or the binomial option pricing models, would require customer data that is not available at this time. The value of flexibility is unique to each organization, and the willingness to measure its value varies from company to company (see Appendix A for additional information regarding the flexibility calculation). TEI Framework: Summary Considering the financial framework constructed above, the results of the costs, benefits, flexibility, and risk sections using the representative numbers can be used to determine a return on investment, net present value, and payback period. Tables 14 and 15 show the risk-adjusted values, applying the risk adjustment method indicated in the Risk section. It is important to note that values used throughout the TEI Framework are based on in-depth interviews with one customer. Forrester strongly advises that readers use their own estimates within the framework provided in this study to determine the expected financial impact of implementing SecureWorks' MSS. Table 14: Total Risk-Adjusted Costs Costs Initial Year 1 Year 2 Year 3 Total Present value Services fees $25,500 $306,000 $306,000 $306,000 $943,500 $786,477 Administrative costs 18,360 18,360 18,360 18,360 73,440 64,019 Total $43,860 $324,360 $324,360 $324,360 $1,016,940 $850,495 Table 15: Total Risk-Adjusted Benefits Benefits Year 1 Year 2 Year 3 Total Present Value Cost of internal security team $1,083,333 $1,083,333 $1,083,333 $3,250,000 $2,694,090 Cost avoidance: reduced risk of loss from security breach 120, , , , ,422 SIM software and hardware cost avoidance 110,000 20,000 20, , ,555 Total $1,313,333 $1,223,333 $1,223,333 $3,760,000 $3,124,067 18

19 Study Conclusions Forrester s in-depth interviews with this MSS client indicated that the client achieved better security posture for a lower cost than if it attempted to create the same security capabilities in-house. The study uncovered a number of other important observations, including: By relying on SecureWorks services, the customer s internal security team has evolved from a largely IT function to being a critical business function, concentrating on security strategy issues and business risk. Engaging a managed security service such as SecureWorks MSS provides the capabilities of highly skilled security analysts who are able to stay very current on threats and security practices by engaging in multiple client environments. In-house security staff focused on a single corporate environment does not gain the same level of experience or exposure. Clients will benefit from the service provider s investment in shared infrastructure. SecureWorks has invested in technology that would be prohibitively expensive for most client organizations. Fast, effective incident-handling processes, tested and honed across a wide client base, will limit the amount of exposure time to attacks and any resulting damage. The financial analysis provided in this study illustrates the process for an organization to evaluate the value proposition of Managed Security Services in its environment. Based on information collected in client interviews, Forrester calculated a three-year risk-adjusted ROI of 267% for this client s organization with a very short payback period. All final estimates are risk-adjusted to incorporate potential uncertainty in the calculation of costs and benefits. Based on these findings, companies looking to implement MSS can see cost savings and security benefits around a broad range of initiatives. Using the TEI framework, many companies may find the potential for a compelling business case to make such an investment. Table 1: Three Year ROI, Original And Risk-Adjusted Summary Financial Results Original Estimate Risk- Adjusted ROI 288% 267% Payback period (months) Total costs (PV) $850,495 $850,495 Total benefits (PV) $3,302,292 $3,124,067 Total (NPV) $2,451,796 $2,273,572 19

20 Flexibility Flexibility, as defined by Forrester s TEI methodology, represents an investment in additional capacity or agility today that can be turned into future business benefits at some additional cost. Flexibility benefits typically increase with the scalability of the technology investment. This provides an organization with the right or the ability to engage in future initiatives but not the obligation to do so. In the case of SecureWorks' MSS, there are multiple scenarios in which a client might choose to implement the one set of services and decide at a later date to engage additional service levels of custom consulting. Quantifying the flexibility in this case, using the financial industry standard Black-Scholes or the binomial option pricing models, would require customer data that is not available at this time. The value of flexibility is unique to each organization, and the willingness to measure its value varies from company to company (see Appendix A for additional information regarding the flexibility calculation). TEI Framework: Summary Considering the financial framework constructed above, the results of the costs, benefits, flexibility, and risk sections using the representative numbers can be used to determine a return on investment, net present value, and payback period. Tables 14 and 15 show the risk-adjusted values, applying the risk adjustment method indicated in the Risk section. It is important to note that values used throughout the TEI Framework are based on in-depth interviews with one customer. Forrester strongly advises that readers use their own estimates within the framework provided in this study to determine the expected financial impact of implementing SecureWorks' MSS. Table 14: Total Risk-Adjusted Costs Costs Initial Year 1 Year 2 Year 3 Total Present value Services fees $25,500 $306,000 $306,000 $306,000 $943,500 $786,477 Administrative costs 18,360 18,360 18,360 18,360 73,440 64,019 Total $43,860 $324,360 $324,360 $324,360 $1,016,940 $850,495 Table 15: Total Risk-Adjusted Benefits Benefits Year 1 Year 2 Year 3 Total Present Value Cost of internal security team $1,083,333 $1,083,333 $1,083,333 $3,250,000 $2,694,090 Cost avoidance: reduced risk of loss from security breach 120, , , , ,422 SIM software and hardware cost avoidance 110,000 20,000 20, , ,555 Total $1,313,333 $1,223,333 $1,223,333 $3,760,000 $3,124,067 18

21 Appendix B: Glossary Discount rate: The interest rate used in cash flow analysis to take into account the time value of money. Although the Federal Reserve Bank sets a discount rate, companies often set a discount rate based on their business and investment environment. Forrester assumes a yearly discount rate of 10% for this analysis. Organizations typically use discount rates between 8% and 16% based on their current environment. Readers are urged to consult their organization to determine the most appropriate discount rate to use in their own environment. Net present value (NPV): The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made, unless other projects have higher NPVs. Present value (PV): The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PV of costs and benefits feed into the total net present value of cash flows. Payback period: The breakeven point for an investment. The payback period is the point in time at which net benefits (benefits minus costs) equal initial investment or cost. Return on investment (ROI): A measure of a project expected return in percentage terms. ROI is calculated by dividing net benefits (benefits minus costs) by costs. A Note On Cash Flow Tables The following is a note on the cash flow tables used in this study (see the Example Table below). The initial investment column contains costs incurred at time 0 or at the beginning of Year 1. Those costs are not discounted. All other cash flows in Years 1 through 3 are discounted using the discount rate shown in Table 2 at the end of the year. Present value (PV) calculations are calculated for each total cost and benefit estimate. Net present value (NPV) calculations are not calculated until the summary tables and are the sum of the initial investment and the discounted cash flows in each year. Example Table Ref. Category Calculation Initial cost Year 1 Year 2 Year 3 Total 21

22 Appendix C: About The Project Manager Jeffrey North, Senior Consultant Jeffrey North is a senior consultant with Forrester's Total Economic Impact (TEI) consulting practice. The TEI methodology focuses on measuring and communicating the value of IT and business decisions and solutions, as well as providing an ROI business case based on the costs, benefits, flexibility, and risk of investments. Jeff came to Forrester with consulting and operating experience, notably working with fast-growth companies. He was a founding member of the digital strategy practice at Cambridge Technology Partners, where he specialized in business-value justification of technology investments and client advocacy. As a director in the international and catalog business units at Staples, Jeff built and managed metrics and reporting programs in North America and Europe as the company experienced significant growth. He has also consulted in a business-it capacity to retailers and life sciences companies. Jeff holds a B.A. from St. Lawrence University and an M.B.A. with a concentration in international management and finance from Thunderbird, the Garvin School of International Management. 22

23 Appendix D: Endnotes 1 An analysis of more than 300 outsourcing contracts conducted by the Warwick Business School in the United Kingdom found that internal management accounts for between 4% and 8% of the overall cost of outsourcing. Source: Leslie Willcocks and Geraldine Fox, The Three-Year Itch: Adjusting Outsourcing Relationships to a New Economic Reality, Compass Publishing white paper, 2003 ( 2 Paul Stamp, Peer Practices, Security & Risk Management Peer Practices For Sourcing MSSP. July 6,