A Forrester Total Economic Impact Study Prepared For F5 Networks The Total Economic Impact Of F5 Networks BIG-IP Security Solutions

Transcription

1 A Frrester Ttal Ecnmic Impact Study Prepared Fr F5 Netwrks The Ttal Ecnmic Impact Of F5 Netwrks BIG-IP Security Slutins Prject Directr: Dean Davisn August 2013

2 TABLE OF CONTENTS Executive Summary... 2 A CPMC Secures Users On Any Device, Anywhere, With BIG-IP Security Slutins... 2 Disclsures... 3 TEI Framewrk And Methdlgy... 4 Analysis... 5 Interview Highlights... 5 Csts... 7 Benefits... 9 Flexibility Risk Financial Summary F5 Netwrks BIG-IP Security Slutins: Overview Appendix A: Cmpsite Organizatin Descriptin Appendix B: Ttal Ecnmic Impact Overview Appendix C: Glssary , Frrester Research, Inc. All rights reserved. Unauthrized reprductin is strictly prhibited. Infrmatin is based n best available resurces. Opinins reflect judgment at the time and are subject t change. Frrester, Techngraphics, Frrester Wave, RleView, TechRadar, and Ttal Ecnmic Impact are trademarks f Frrester Research, Inc. All ther trademarks are the prperty f their respective cmpanies. Fr additinal infrmatin, g t Abut Frrester Cnsulting Frrester Cnsulting prvides independent and bjective research-based cnsulting t help leaders succeed in their rganizatins. Ranging in scpe frm a shrt strategy sessin t custm prjects, Frrester s Cnsulting services cnnect yu directly with research analysts wh apply expert insight t yur specific business challenges. Fr mre infrmatin, visit Page 1

3 Executive Summary In May 2013, F5 Netwrks cmmissined Frrester Cnsulting t examine the ttal ecnmic impact and ptential return n investment (ROI) enterprises may realize by deplying its BIG-IP security slutins. T understand the impact f using F5 fr intelligent netwrk security, Frrester cnducted interviews with fur existing custmers f the BIG-IP prducts frm F5 and cmpiled the results int a cmpsite case study fr a $2 billin cmpany with 12,000 emplyees that manufactures and distributes cnsumer prducts referred t as a cnsumer prducts manufacturing cmpany (CPMC). See Appendix A fr a descriptin f the cmpsite rganizatin. F5 Netwrks prvides devices that deliver intelligent netwrk security and secure the activities f users by mnitring end-t-end netwrk traffic rather than managing security fr each applicatin r device. Using a netwrkwide architecture allws F5 tls t prtect the user experience regardless f the type f device being used. In ther wrds, BIG-IP enables users t bring-yur-wn-device (BYOD). A CPMC Secures Users On Any Device, Anywhere, With BIG-IP Security Slutins The purpse f this study is t prvide readers with a framewrk t evaluate the ptential financial impact f F5 BIG-IP security slutins n their rganizatins. Frrester fund that the CPMC experienced a risk-adjusted ROI f 537% with the csts and benefits shwn in Table 1. Amng the benefits realized by F5 custmers is the ability t prvide security as users access data and applicatins thrugh a wide range f devices especially tablets and smartphnes. F5 secures the netwrk rather than individual devices r applicatins and thus mnitrs the entire range f users activities, including the device being used, the applicatin being accessed, and the data that is being transferred. As a result, users are secure frm inceptin thrugh terminatin, and security prfessinals are able t refcus n detecting and preventing ther security vulnerabilities. Table 1 Three-Year Risk-Adjusted ROI ROI Payback perid Ttal benefits (present value) Ttal csts (present value) Net present value 537% 4.6 mnths $2,056,806 ($323,123) $1,733,683 Surce: Frrester Research, Inc. Benefits. The CPMC experienced the fllwing benefits: Eliminated standalne firewalls. By managing the security f the entire netwrk with F5, the CPMC n lnger requires sme standalne firewalls netwrk r applicatin n which it previusly relied. The ability t eliminate 53 firewalls ver three years prvides $190,800 in savings. Page 2

4 Supprted and secured the migratin t BYOD. The value t the CPMC f securing the migratin f users n any kind f device with F5 is valued at $614,100, based n the bst in prductivity, as business users are able t use a wider range f devices. Avided site utages even during intense DDS attacks. F5 prvides the CPMC with the ability t filter legitimate site traffic frm distributed denial f service (DDS) traffic n critical shpping days Black Friday resulting in $477,692 f prfit frm sales that wuld be lst therwise. Avided server remediatin by practively patching security vulnerabilities. F5 s prducts include a platfrm called irules fr applying custm cde as netwrk security rules i.e., virtual patching. The ability t clse security risks frm third-party prducts immediately rather than waiting fr patches frm sftware vendrs saves the CPMC mre than $177,561 in csts that it wuld incur fr server remediatin. Avided custmer triage by practively patching security vulnerabilities. By using irules t virtually patch security hles immediately, the CPMC eliminates breaches that cmprmise custmer data. As a result, the CPMC avids mre than $1 millin in csts fr cmmunicating with custmers and prviding credit prtectin services. Csts. The CPMC experienced the fllwing csts: Licensing F5 Netwrks BIG-IP prducts. The cst fr the CPMC t license and maintain tw BIG-IP Lcal Traffic Managers and ne Edge Gateway is a ttal f $462,000 ver three years. Training fr security prfessinals. During the first year, the CPMC purchases n-site training fr the entire security team. In additin, the eight security prfessinals attend prduct-specific training curses. The ttal training investment is $127,000. Disclsures The reader shuld be aware f the fllwing: The study is cmmissined by F5 Netwrks and delivered by the Frrester Cnsulting grup. Frrester makes n assumptins as t the ptential ROI that ther rganizatins will receive. Frrester strngly advises that readers shuld use their wn estimates within the framewrk prvided in the reprt t determine the apprpriateness f an investment in F5 Netwrks BIG-IP security slutins. F5 Netwrks reviewed and prvided feedback t Frrester, but Frrester maintains editrial cntrl ver the study and its findings and des nt accept changes t the study that cntradict Frrester s findings r bscure the meaning f the study. The custmer names fr the interviews were prvided by F5 Netwrks. Page 3

5 TEI Framewrk And Methdlgy Intrductin Frm the infrmatin prvided in the interviews, Frrester cnstructed a Ttal Ecnmic Impact framewrk fr thse rganizatins cnsidering implementing F5 Netwrks slutins. The bjective f the framewrk is t identify the cst, benefit, flexibility, and risk factrs that affect the investment decisin. Apprach And Methdlgy Frrester tk a multistep apprach t evaluate the direct and indirect financial impact that F5 Netwrks can have n an rganizatin (see Figure 1). Specifically, Frrester: Interviewed F5 Netwrks marketing/sales/cnsultants persnnel and Frrester analysts t gather data relative t F5 prducts and the marketplace fr applicatin security. Interviewed fur rganizatins currently using F5 Netwrks prducts t btain data with respect t csts, benefits, and risks. Designed a cmpsite rganizatin based n characteristics f the interviewed rganizatins (see Appendix A). Cnstructed a financial mdel representative f the interviews using the TEI methdlgy. The financial mdel is ppulated with the cst and benefit data btained frm the interviews as applied t the cmpsite rganizatin. Figure 1 TEI Apprach Perfrm due diligence Cnduct custmer interviews Design cmpsite rganizatin Cnstruct financial mdel using TEI framewrk Write case study Surce: Frrester Research, Inc. Frrester emplyed fur fundamental elements f TEI in mdeling F5 Netwrks slutins: 1. Csts. 2. Benefits t the entire rganizatin. 3. Flexibility. 4. Risk. Given the increasing sphisticatin that enterprises have regarding ROI analyses related t IT investments, Frrester s TEI methdlgy serves the purpse f prviding a cmplete picture f the ttal ecnmic impact f purchase decisins. Please see Appendix B fr additinal infrmatin n the TEI methdlgy. Page 4

6 Analysis Interview Highlights Frrester cnducted a ttal f fur interviews fr this study, invlving executives frm the fllwing cmpanies: 1. A prducer f cnsumer prducts. The cmpany maintains individual websites fr dzens f brands and therefre needs security tls that allws it t manage the sites in aggregate rather than individually, giving the cmpany benefits such as ecnmies f scale in managing servers and lad balancing fr Internet traffic. 2. A specialty prducts retailer. The cmpany supplies specialty electrnics t businesses and cnsumers. Althugh the cmpany built its reputatin thrugh brick-and-mrtar stres, its nline sales are nw several times larger than in-stre sales. The retailer is cncerned with prviding the same quality f high-tuch, high-quality shpping experience nline as in its stres. 3. A cmmunity cllege. The cllege has dzens f buildings n its campus and prvides hundreds f applicatins fr cllege students, staff, and the surrunding cmmunity. The cllege had a gal fr any user t access any applicatin frm any lcatin n-campus using any device making the cllege an early and aggressive adpter f BYOD. As a result, the cllege needed security that prvides end-t-end security fr users anytime, anywhere, and n any device. 4. A reginal medical center. The center includes a large hspital, several assciated clinics, and thusands f highly specialized dctrs. The medical center is cnslidating patient s medical recrds and prviding access t physicians, specialists, and staff t patient recrds n mbile devices. T cmply with the Health Insurance Prtability and Accuntability Act (HIPAA) requirements, the medical center must secure patient privacy while prviding access in an envirnment where perfrmance literally saves lives. Althugh the fur cmpanies span varius industries, they faced many f the same challenges with regard t security. Each f the cmpanies tld Frrester that they needed a different way t manage security because: Enterprise applicatins are increasingly using web-based interfaces s that, t the netwrk, highly-sensitive applicatin data lks identical t data abut custmers brwsing websites. External websites are mre clsely linked t custmer data as cmpanies try t enhance the user experience f websites as tls that extend custmer relatinships beynd the initial purchase. Malware and DDS attacks are able t disrupt the user experience n websites as well as threaten peratins by hacking int cmpany desktps r servers. Situatin Business executives at the CPMC understd the reality and cmplexity f security attacks; the cnsensus view f executives recently flipped frm accepting that security breaches ccur t demanding that security teams anticipate and prepare respnse strategies. T effectively respnd, security teams needed t: Page 5

7 Get visibility int end-t-end netwrk traffic. Security teams needed the ability t mnitr the surce f intrusin attacks, the applicatins r data that attackers are targeting, and patterns f rutine web traffic and applicatin usage. Secure users frm inceptin thrugh terminatin. Security teams needed the ability t prvide a secure experience fr all users, regardless f the users lcatin, the type f device, r the applicatins being accessed. Reduce the time required t manage security plicies. Security teams needed the ability t manage netwrk and applicatin access frm a set f central tls rather than managing every applicatin r server individually. Prepare respnse strategies fr security intrusins. Security teams needed the ability t separate malicius web traffic frm legitimate users t manage intrusins r DDS attacks. Slutin The CPMC installed three prducts frm F5 Netwrks tw BIG-IP Lcal Traffic Managers and ne BIG-IP Edge Gateway. The security executives that Frrester interviewed said that using the BIG-IP prducts gave their security prfessinals the ability t: Islate the surces f malicius r DDS attacks and separate attacks frm legitimate traffic. Identify the internal applicatins r databases that are being targeted by attackers. Leverage cmpanywide databases fr user identity and manage users n the netwrk as well as applicatin access privileges frm central access management tls. Patch knwn vulnerabilities virtually using irules almst immediately rather than waiting weeks r mnths befre sftware vendrs release secure prduct updates. Results Frrester s interviews uncvered that by using BIG-IP prducts, the CPMC is able t: Eliminate standalne firewalls. The CPMC eliminated 53 standalne firewalls ver three years, reducing the cst f annual maintenance fees that the CPMC paid n firewalls, eliminating $190,800 in csts ver three years. Secure the user experience n any device. The CPMC launched its BYOD prgram with cnfidence that an endt-end architecture wuld prtect custmer data and ther intellectual prperty. Maintain website availability during DDS attacks. On critical shpping days, when the CPMC s nline business drives large amunts f revenue, the security team is able t manage DDS r ther malicius attacks withut cmprmising the experience f legitimate custmers. Patch vulnerabilities immediately. Using the irules platfrm, the CPMC is able t immediately patch new vulnerabilities until permanent updates are released frm sftware vendrs. Page 6

8 Framewrk Assumptins Thrughut this reprt, the discunt rate used in the present value (PV) and net present value (NPV) calculatins is 10%, and time hrizn used fr the financial mdeling is three years. Organizatins typically use discunt rates between 8% and 16% based n their current envirnment. Readers are urged t cnsult with their respective cmpany s finance department t determine the mst apprpriate discunt rate t use within their wn rganizatins. Csts The csts f implementing and using BIG-IP prducts include licensing prducts frm F5 Netwrks and training the CPMC s security prfessinals. Licensing And Maintaining BIG-IP Slutins Based n the size and cmplexity f its peratins, the CPMC spends $215,600 ver three years in licensing and maintenance fees fr tw BIG-IP Lcal Traffic Managers and ne BIG-IP Edge Gateway (see Table 2). Table 2 Licensing And Maintaining F5 BIG-IP Slutins Ref. Csts Calculatin Initial Year 1 Year 2 Year 3 Ttal A1 Applicatin Delivery Cntrllers 2 units $110,000 A2 Edge Gateway 1 unit $30,000 A3 Maintenance fees (A1+A2)*18% $25,200 $25,200 $25,200 At Ttal csts f licenses $140,000 $25,200 $25,200 $25,200 $215,600 Surce: Frrester Research, Inc. Page 7

9 Training Fr Security Prfessinals T calculate the cst, Frrester includes a five-day n-site curse that the CPMC prvided as an rientatin fr the security team. During the first year, the eight security prfessinals each attended three separate training curses that lasted tw days fr specific prducts at a cst f $1,500 per day, resulting in a ttal cst f $72,000 during Year 1. Over three years, the CPMC s investment in training is $127,000 (see Table 3). Table 3 Training Security Prfessinals Ref. Csts Calculatin Initial Year 1 Year 2 Year 3 Ttal B1 B2 Five days f n-site training Cst f tw-day prduct-specific training curse $55,000 8*3*2*$1,500 $72,000 Bt Ttal csts $55,000 $72,000 $0 $0 $127,000 Surce: Frrester Research, Inc. Ttal Csts The ttal cst fr the CPMC assciated with licensing and maintaining the security slutins frm F5 Netwrks as well as training the security team s use f the prducts is $342,600 ver three years, as shwn in Table 4. Table 4 Ttal Csts Ref. Csts Calculatin Initial Year 1 Year 2 Year 3 Ttal At Purchasing slutins $140,000 $25,200 $25,200 $25,200 Bt Training security prfessinals $55,000 $72,000 Ttal csts At+Bt $195,000 $97,200 $25,200 $25,200 $342,600 Surce: Frrester Research, Inc. Page 8

10 Benefits Based n the interviews, the CPMC gets benefits frm using F5 Netwrks by: Eliminating standalne firewalls. Securing the migratin t BYOD. Aviding utages during DDOS attacks. Reducing csts by practively patching vulnerabilities, including csts fr: Server remediatin: the cst f dwntime t rebuild a server t its riginal state. Custmer triage: the cst f cmmunicating with custmers and prviding credit prtectin services. Eliminating Standalne Firewalls F5 Netwrks prvides a secure wrapper fr users and their applicatin experience, allwing the CPMC t eliminate sme f its standalne applicatin firewalls. The CPMC cnducted extensive testing f the security prvided by F5 Netwrks befre retiring a ttal f 53 select firewalls. The price fr firewalls used by the CPMC is an average f $20,000 plus an additinal maintenance fee f 18% per year r $3,600 per firewall per year. The financial benefit f retiring 53 firewalls ver three years is a cst that the CPMC avids, ttaling $190,800 (see Table 5). Table 5 Eliminating Standalne Firewalls Ref. Benefit Calculatin Year 1 Year 2 Year 3 Ttal C1 Maintenance cst fr standalne firewalls $20,000*18% 3,600 3,600 3,600 C2 Firewalls eliminated Ct Grss prfit benefit C1*C2 $10,800 $43,200 $136,800 $190,800 Surce: Frrester Research, Inc. Page 9

11 Securing Users BYOD Experience One f the cmpanies that Frrester interviewed was able t measure the impact f BYOD and reprted an increase in net prfit f 9% ver three years. The benefits came frm increased prductivity f emplyees and imprved interactins with business partners largely by managing the verall supply chain f prducts better. F5 Netwrks is a key enabler fr BYOD because its technlgy puts a wrapper arund the applicatin, the netwrk, and users, eliminating the gaps between security prducts that culd therwise be explited in a BYOD envirnment. Frrester s mdel applies the 8.9% benefit t the CPMC as an uplift f 6% in net prfit during Year 2 and an additinal 3% increase in Year 3. The success f a BYOD initiative depends n many factrs, such as web interfaces fr applicatins and integratin between mbile and prprietary authenticatin tls. T measure the impact f F5 Netwrks n BYOD, Frrester limits the value f security t 5% f the increase in net prfit that the CPMC gets thrugh BYOD, resulting in an increase in prfit f $614,100 ver three years. Table 6 Securing Users BYOD Experience Ref. Benefit Calculatin Year 1 Year 2 Year 3 Ttal D1 Cmpany net prfit $2 billin*7% $140,000,000 $140,000,000 $140,000,000 D2 Business prductivity bst 0.0% 6% 3% D3 Net prfit impact f BYOD D1*D2 $8,400,000 $4,200,000 $12,600,000 D4 Percent f bst attributable t security 5% 5% 5% Dt Net prfit benefit D3*D4 $420,000 $210,000 $630,000 Surce: Frrester Research, Inc. Page 10

12 Aviding Outages Frm DDS Attacks The security executive in ne interview recunted hw his cmpany gets mre than 60% f its revenue frm nline sales. On a critical shpping day Black Friday the cmpany was subjected t extensive DDS attacks. BIG-IP prducts allwed the cmpany t filter malicius traffic frm legitimate custmers t the extent that the cmpany experienced n cmplaints frm custmers and successfully sld prducts thrughut the day. As shw in Table 7, the CPMC suffers tw DDS attacks each year. The average attack lasts six hurs and disrupts nrmal business during that time. Because the CPMC generates $400 millin in nline revenue at a prfit margin f 6.9%, the lss in net prfit frm a six-hur utage wuld be $80,769. The impact f aviding utages during DDS attacks is $484,615 ver three years. Table 7 Aviding Outages Frm DDS Attacks Ref. Benefit Calculatin Year 1 Year 2 Year 3 Ttal E1 Prfit frm nline sales $400 millin*7% $28,000,000 $28,000,000 $28,000,000 E2 Duratin f typical utage 6 hurs/2,080 hurs 0.29% 0.29% 0.29% E3 Lst prfit per utage E1*E2 $80,769 $80,769 $80,769 E4 Number f attacks annually Et Grss prfit benefit E3*E4 $161,538 $161,538 $161,538 $484,615 Surce: Frrester Research, Inc. Page 11

13 Reduced Cst Of Server Remediatin By Practively Patching Vulnerabilities The CPMC must address the vulnerabilities that are discvered and annunced by sftware prviders. Unfrtunately, the permanent patch fr any vulnerability usually fllws its discvery by several mnths. F5 Netwrk s slutins include irules a platfrm that allws IT rganizatins t create custm cde that will prevent specific, knwn vulnerabilities frm being explited. Being able t immediately clse a new vulnerability is priceless. The executives in my cmpany always like t hear that we already have a slutin in place. Withut irules, I culdn t say that. (Directr, netwrk security) During interviews, security prfessinals tld Frrester that irules reduces the cst f remediating servers that are affected by malware. Using F5, the CPMC eliminates three breaches per year that wuld have affected the servers. In this case, each breach affects an average f tw servers, frcing the servers t be taken ffline and restred, which takes an average f tw days t rebuild the servers and csts $14,000 per server per breach, including the business that is lst frm having a server dwn that supprts custmer purchases. The cst fr server remediatin that the CPMC avids ver three years is a ttal f $252,000 (see Table 8). Table 8 Reduced Cst Of Server Remediatin By Practively Patching Vulnerabilities Ref. Benefit Calculatin Year 1 Year 2 Year 3 Ttal F1 Reduced number f breaches t servers F2 Affected servers per breach F3 Cst per server fr remediatin $14,000 $14,000 $14,000 Ft Avided csts t remediate servers after breaches F1*F2*F3 $84,000 $84,000 $84,000 $252,000 Surce: Frrester Research, Inc. Page 12

14 Reduced Cst Of Custmer Triage By Practively Patching Vulnerabilities In additin t the cst t rebuilt servers, sme breaches cmprmise custmer data. The CPMC suffers ne breach per year that results in a lss f custmer data that is caused by security hles in third-party prducts (e.g., Zer Day Explits). After a breach, the CPMC typically spends $300 per custmer recrd that is cmprmised t cmmunicate the breach t custmers and prvide fllw-up supprt, including credit prtectin services. Fr the CPCM, the ne breach per years results in 1,200 custmer recrds being cmprmised, resulting in a cst f $360,000 per breach. By using irules t practively patch vulnerability, the CPMC avids mre than $1 millin in csts ver three years (see Table 9). Table 9 Reduced Cst Of Custmer Triage By Practively Patching Vulnerabilities Ref. Benefit Calculatin Year 1 Year 2 Year 3 Ttal G1 Reduced breaches t data G2 Names affected per breach 1,200 1,200 1,200 G3 Cst per custmer recrd $300 $300 $300 Gt Avided cst f custmer triage frm breaches G1*G2*G3 $360, , ,000 $1,080,000 Surce: Frrester Research, Inc. Page 13

15 Ttal Benefits The CPMC realizes benefits by using BIG-IP slutins frm F5 Netwrks during a three-year perid that ttal mre than $2.5 millin (see Table 10). Table 10 Ttal Benefits Ref. Benefit Calculatin Year 1 Year 2 Year 3 Ttal Ct Eliminating standalne firewalls $10,800 $43,200 $136,800 Dt Securing the BYOD experience $0 $420,000 $210,000 Et Aviding utages frm DDS attacks $161,538 $161,538 $161,538 Ft Reduced cst f server remediatin $84,000 $84,000 $84,000 Gt Reduced cst f custmer triage $360, , ,000 Ttal benefits Ct+Dt+Et+Ft+Gt $616,338 $1,068,738 $952,338 $2,637,415 Surce: Frrester Research, Inc. Flexibility Flexibility, as defined by TEI, represents an investment in additinal capacity r capability that culd be turned int business benefit fr sme future additinal investment. This prvides an rganizatin with the right r the ability t engage in future initiatives but nt the bligatin t d s. There are multiple scenaris in which a custmer might chse t implement F5 Netwrks slutins and later realize additinal uses and business pprtunities. Flexibility wuld als be quantified when evaluated as part f a specific prject (described in mre detail in Appendix B). Using BIG-IP slutins frm F5 Netwrks created future flexibility fr: Facilitating central plicy management. F5 Netwrks secures the netwrk endpints instead f each applicatin individually, allwing the IT rganizatin t release new applicatins, add additinal users t specific applicatins, r retire existing applicatins withut changing the security plicies. With the purchase f an identify management system, security plicies will be centrally managed and rely n the identity management system t crdinate the rights f individual emplyees acrss disparate systems. Fr example, when an emplyee s permissins change, the central identity and security plicies trickle dwn t specific applicatins and Page 14

16 are immediately updated. Similarly, when an emplyee leaves the cmpany, security privileges are revked acrss the cmpany, eliminating lse ends such as access rights fr emplyees n lnger with the cmpany. Launching and retiring applicatins. Using endpint security plicies has the ptential t significantly reduce the supprt burden n security prfessinals and applicatin managers. As cmpanies increase the pace f spinning up new applicatins, implementing clud-based applicatins (r services), they can migrate frm ne clud prvider t anther, rewrite legacy applicatins int web-based services, r simply retire legacy applicatins. Cmpanies are nly able t spin up and retire applicatins quickly when they are lgically lcated within the wrapper prvided by BIG-IP prducts. Risk Frrester defines tw types f risk assciated with this analysis: implementatin risk and impact risk. Implementatin risk is the risk that a prpsed investment in F5 Netwrks may deviate frm the riginal r expected requirements, resulting in higher csts than anticipated. Impact risk refers t the risk that the business r technlgy needs f the rganizatin may nt be met by the investment in F5 Netwrks, resulting in lwer verall ttal benefits. The greater the uncertainty, the wider the ptential range f utcmes fr cst and benefit estimates. Quantitatively capturing investment and impact risk by directly adjusting the financial estimates results in mre meaningful and accurate estimates and a mre accurate prjectin f the ROI. In general, risks affect csts by raising the riginal estimates, and they affect benefits by reducing the riginal estimates. The risk-adjusted numbers shuld be taken as realistic expectatins since they represent the expected values cnsidering risk. The fllwing impact risks that affect benefits are identified as part f the analysis: Eliminating sme standalne applicatin firewalls. The ability t eliminate firewalls depends n the current security architecture, the netwrk architecture, and the price that a cmpany pays fr firewalls. Supprting and securing the migratin t BYOD. The value f increased prductivity frm a BYOD strategy will vary depending n the type f wrk perfrmed by emplyees and the sensitivity f the wrk tasks being perfrmed n mbile devices. Aviding utages frm DDOS attacks. Cmpanies with well-knwn brand names r that prvide services that are cnsidered cntrversial may suffer levels f malware r attacks that are much higher. Practively patching vulnerabilities. The amunt f custmer data that resides within the cmpany will directly determine the value t be gained thrugh virtual patching. Tables 10 and 11 shw the values used t adjust fr risk and uncertainty in the cst and benefit estimates. The TEI mdel uses a triangular distributin methd t calculate risk-adjusted values. T cnstruct the distributin, it is necessary t first estimate the lw, mst likely, and high values that culd ccur within the current envirnment. The risk-adjusted value is the mean f the distributin f thse pints. Page 15

17 Table 11 Risk Adjustments Benefits Lw Mst likely High Mean Eliminating sme standalne applicatin firewalls 92% 100% 105% 99% Supprting and securing the migratin t BYOD 50% 100% 110% 87% Aviding utages frm DDOS attacks 80% 100% 103% 94% Reduced cst f server remediatin by practively patching vulnerabilities Reduced cst f custmer triage by practively patching vulnerabilities 92% 100% 105% 99% 92% 100% 105% 99% Surce: Frrester Research, Inc. Table 12 Risk Adjustments T The Three-Year Ttals Benefit Original value Risk adjustment Risk-adjusted value Eliminating sme standalne applicatin firewalls $190,800-1% $188,892 Supprting and securing the migratin t BYOD $630,000-13% $548,100 Aviding utages frm DDOS attacks $484,615-6% $455,538 Reduced cst f server remediatin by practively patching vulnerabilities Reduced cst f custmer triage by practively patching vulnerabilities $252,000-1% $249,480 $1,080,000-1% $1,069,200 Surce: Frrester Research, Inc. Readers are urged t apply their wn risk ranges based n their wn degree f cnfidence in the cst and benefit estimates. Page 16

18 Financial Summary The financial results calculated in the Csts and Benefits sectins can be used t determine the ROI, NPV, and payback perid fr the rganizatin s investment in F5 Netwrks security slutins. These are shwn in Table 13 belw. Table 13 Cash Flw Nn-Risk-Adjusted Cash flw riginal estimates Initial Year 1 Year 2 Year 3 Ttal Present value Csts ($195,000) ($97,200) ($25,200) ($25,200) ($342,600) ($323,123) Benefits $0 $616,338 $1,068,738 $952,338 $2,637,415 $2,159,069 Net benefits ($195,000) $519,138 $1,043,538 $927,138 $2,294,815 $1,835,945 ROI 568% Payback perid 4.5 mnths Surce: Frrester Research, Inc. Table 14 and Figure 2 belw shw the risk-adjusted ROI, NPV, and payback perid values. These values are determined by applying the risk-adjustment values frm Table 11 in the Risk sectin t the benefits numbers in Table 10. Table 14 Cash Flw Risk-Adjusted Cash flw risk-adjusted estimates Initial Year 1 Year 2 Year 3 Ttal Present value Csts ($195,000) ($97,200) ($25,200) ($25,200) ($342,600) ($323,123) Benefits $0 $602,098 $999,574 $909,538 $2,511,210 $2,056,806 Net benefits ($195,000) $504,898 $974,374 $884,338 $2,168,610 $1,733,683 ROI 537% Payback perid 4.6 mnths Surce: Frrester Research, Inc. Page 17

19 Figure 2 Cash Flws Risk Adjusted $2,500,000 $2,000,000 $1,500,000 Cash flws $1,000,000 $500,000 $0 Initial Year 1 Year 2 Year 3 ($500,000) Ttal Csts Ttal Benefits Running Ttal Surce: Frrester Research, Inc. Page 18

20 F5 Netwrks BIG-IP Security Slutins: Overview Accrding t F5 Netwrks, F5 secures access t applicatins and data frm anywhere, while prtecting applicatins wherever they reside. By placing intelligent devices at key pints in the netwrk, F5 helps prtect resurces and minimize interruptins. The BIG-IP family has tw categries f slutins: security and access. Security. The F5 prtfli f prducts includes BIG-IP Lcal Traffic Manager (LTM), BIG-IP Advanced Firewall Manager (AFM), BIG-IP Applicatin Security Manager (ASM), and BIG-IP Glbal Traffic Manager (GTM). These prducts have the scale, perfrmance, integratin f features, and extensibility needed t prtect applicatins in the data center. F5 Security slutins include: Applicatin delivery firewall (ADF): A native firewall that prvides visibility and cntrl f applicatin security. Custmers use ADF t prtect netwrks and applicatin infrastructure in Internet-facing data centers, inspecting as well as fflading SSL and prtecting against netwrk-, DNS-, and HTTP/S-based DDS attacks. Applicatin security: Web applicatin firewall that prtects against attacks t reduce the risk t intellectual prperty and data. Custmers use ASM t patch security gaps immediately, mnitr applicatin vulnerabilities as well as fraudulent activity, and help prtect intellectual prperty. DDS: Defense and mitigatin against different layers f DDS threats, including thse that are netwrk-, DNS-, and HTTP/S-based. Identity and access management. The BIG-IP set f identity and access management slutins simplify authenticatin, authrizatin, and accunting (AAA) management. Typical use cases include: Accelerating and securing remte access. Federating identify management. Enhancing web access management. Simplifying virtual desktp management. Streamlining Micrsft Exchange. Mbile security. F5 s mbile security slutins allw emplyees t wrk flexibly frm any device and any lcatin, while ensuring the security f crprate resurces and assets. IT rganizatins are able t: Prtect crprate applicatins as well as data and simplify device management as well as plicy enfrcement. Manage individual devices r device grups, push and/r retract applicatins and data n a device, and lck r wipe nly the secure wrkspace rather than the entire device. Cntrl decisins abut cntent and applicatins available n each user s devices, including sensitive crprate data that transmits n an app-by-app basis in a secure, encrypted fashin and that is unencrypted nly after reaching the enterprise netwrk. Page 19

21 Appendix A: Cmpsite Organizatin Descriptin Cmpsite Organizatin Based n the interviews with the fur existing custmers prvided by F5 Netwrks, Frrester has created a cmpsite rganizatin t illustrate the quantifiable csts and benefits f F5 Netwrks security slutins. The cmpsite cmpany is intended t represent a CPMC and is based n characteristics f the interviewed custmers. Specifically, the cmpsite cmpany has: $2 billin in annual revenue. Althugh the cmpany sells prducts glbally, this reprt fcuses n business peratins, infrmatin technlgy, and security slutins within the US. The CPMC s average prfit margin is 6.9%. 12,000 emplyees glbally. Nine thusand emplyees r 75% f persnnel are lcated in the US. Manufacturing facilities in 17 cuntries. The cmpany must manage its security plicies accrding t internatinal law, including imprt and exprt laws, but this reprt fcuses n cmplying with regulatry requirements f the US. 20% f revenue cming frm nline sites. The CPMC has an nline site that sells limited prducts directly t cnsumers and that prvides 20% f annual revenues. Prducts that are categrized int eight majr brands. Five f the brands have websites that allw cnsumers t register fr infrmatin, receive prduct supprt, r learn new ways f using the CPMC prducts. Page 20

22 Appendix B: Ttal Ecnmic Impact Overview Ttal Ecnmic Impact is a methdlgy develped by Frrester Research that enhances a cmpany s technlgy decisin-making prcesses and assists vendrs in cmmunicating the value prpsitin f their prducts and services t clients. The TEI methdlgy helps cmpanies demnstrate, justify, and realize the tangible value f IT initiatives t bth senir management and ther key business stakehlders. The TEI methdlgy cnsists f fur cmpnents t evaluate investment value: benefits, csts, risks, and flexibility. Benefits Benefits represent the value delivered t the user rganizatin IT and/r business units by the prpsed prduct r prject. Often prduct r prject justificatin exercises fcus just n IT cst and cst reductin, leaving little rm t analyze the effect f the technlgy n the entire rganizatin. The TEI methdlgy and the resulting financial mdel place equal weight n the measure f benefits and the measure f csts, allwing fr a full examinatin f the effect f the technlgy n the entire rganizatin. Calculatin f benefit estimates invlves a clear dialgue with the user rganizatin t understand the specific value that is created. In additin, Frrester als requires that there be a clear line f accuntability established between the measurement and justificatin f benefit estimates after the prject has been cmpleted. This ensures that benefit estimates tie back directly t the bttm line. Csts Csts represent the investment necessary t capture the value, r benefits, f the prpsed prject. IT r the business units may incur csts in the frm f fully burdened labr, subcntractrs, r materials. Csts cnsider all the investments and expenses necessary t deliver the prpsed value. In additin, the cst categry within TEI captures any incremental csts ver the existing envirnment fr nging csts assciated with the slutin. All csts must be tied t the benefits that are created. Risk Risk measures the uncertainty f benefit and cst estimates cntained within the investment. Uncertainty is measured in tw ways: 1) the likelihd that the cst and benefit estimates will meet the riginal prjectins, and 2) the likelihd that the estimates will be measured and tracked ver time. TEI applies a prbability density functin knwn as triangular distributin t the values entered. At a minimum, three values are calculated t estimate the underlying range arund each cst and benefit. Flexibility Within the TEI methdlgy, direct benefits represent ne part f the investment value. While direct benefits can typically be the primary way t justify a prject, Frrester believes that rganizatins shuld be able t measure the strategic value f an investment. Flexibility represents the value that can be btained fr sme future additinal investment building n tp f the initial investment already made. Fr instance, an investment in an enterprisewide upgrade f an ffice prductivity suite can ptentially increase standardizatin (t increase efficiency) and reduce licensing csts. Hwever, an embedded cllabratin feature may translate t greater wrker prductivity if activated. The cllabratin can nly be used with additinal investment in training at sme future pint in time. Hwever, having the ability t capture that benefit has a PV that can be estimated. The flexibility cmpnent f TEI captures that value. Page 21

23 Appendix C: Glssary Discunt rate: The interest rate used in cash flw analysis t take int accunt the time value f mney. Althugh the Federal Reserve Bank sets a discunt rate, cmpanies ften set a discunt rate based n their business and investment envirnment. Frrester assumes a yearly discunt rate f 10% fr this analysis. Organizatins typically use discunt rates between 8% and 16% based n their current envirnment. Readers are urged t cnsult their respective rganizatin t determine the mst apprpriate discunt rate t use in their wn envirnment. Net present value (NPV): The present r current value f (discunted) future net cash flws given an interest rate (the discunt rate). A psitive prject NPV nrmally indicates that the investment shuld be made, unless ther prjects have higher NPVs. Present value (PV): The present r current value f (discunted) cst and benefit estimates given at an interest rate (the discunt rate). The PV f csts and benefits feed int the ttal NPV f cash flws. Payback perid: The breakeven pint fr an investment r the pint in time at which net benefits (benefits minus csts) equal initial investment r cst. Return n investment (ROI): A measure f a prject s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits minus csts) by csts. A Nte On Cash Flw Tables The fllwing is a nte n the cash flw tables used in this study (see the example table belw). The initial investment clumn cntains csts incurred at time 0 r at the beginning f Year 1. Thse csts are nt discunted. All ther cash flws in Years 1 thrugh 3 are discunted using the discunt rate (shwn in the Framewrk Assumptins sectin) at the end f the year. PV calculatins are calculated fr each ttal cst and benefit estimate. NPV calculatins are nt calculated until the summary tables and are the sum f the initial investment and the discunted cash flws in each year. Table [Example] Example Table Ref. Categry Calculatin Initial cst Year 1 Year 2 Year 3 Ttal Surce: Frrester Research, Inc. Page 22