An Executive Brief for Network Security Investments



Similar documents
Data Center Automation - A Must For All Service Providers

WHITE PAPER. Realizing ROI from Your Network Visibility Investment

WHITE PAPER. Addressing Monitoring, Access, and Control Challenges in a Virtualized Environment

WHITE PAPER. Static Load Balancers Implemented with Filters

Reduce Your Network's Attack Surface

WHITE PAPER. Net Optics Phantom Virtual Tap Delivers Best-Practice Network Monitoring For Virtualized Server Environs

WHITE PAPER. Gaining Total Visibility for Lawful Interception

WHITE PAPER. How To Compare Virtual Devices (NFV) vs Hardware Devices: Testing VNF Performance

Ensuring Success in a Virtual World: Demystifying SDN and NFV Migrations

WHITE PAPER. Extending Network Monitoring Tool Performance

IxChariot Virtualization Performance Test Plan

Guidebook to MEF Certification

EBOOK. Software Defined Networking (SDN)

EBOOK. The Network Comes of Age: Access and Monitoring at the Application Level

WHITE PAPER. Network Traffic Port Aggregation: Improved Visibility, Security, and Efficiency

Channel Xcelerate. Full Speed Ahead. The Ixia Channel Xcelerate Program - The Americas. Application Performance and Security Resilience

Convincing Your CFO That Network Security Is An Investment. by Keith Bromley First Edition

WHITE PAPER. Monitoring Load Balancing in the 10G Arena: Strategies and Requirements for Solving Performance Challenges

WHITE PAPER. Tap Technology Enables Healthcare s Digital Future

WhiteHat Security White Paper. Evaluating the Total Cost of Ownership for Protecting Web Applications

WHITE PAPER. 50 versus 62.5 micron multimode fiber

Evaluating Wireless Broadband Gateways for Deployment by Service Provider Customers

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

CGI Cyber Risk Advisory and Management Services for Insurers

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Taps vs. SPAN The Forest AND the Trees: Full Visibility into Today's Networks

Cyber security Building confidence in your digital future

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

WHITE PAPER. Enabling 100 Gigabit Ethernet Implementing PCS Lanes

WHITE PAPER. Best Practices for Deploying IPv6 over Broadband Access

WHITE PAPER. SDN Controller Testing: Part 1

WHITE PAPER. Best Practices for Network Monitoring Switch Automation

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Address C-level Cybersecurity issues to enable and secure Digital transformation

Leveraging Network and Vulnerability metrics Using RedSeal

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

Cybersecurity y Managing g the Risks

Demonstrating the ROI for SIEM: Tales from the Trenches

The Cloud Balancing Act for IT: Between Promise and Peril

Healthcare and IT Working Together KY HFMA Spring Institute

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Developing a robust cyber security governance framework 16 April 2015

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

The Value of Vulnerability Management*

Seamus Reilly Director EY Information Security Cyber Security

Executive Summary P 1. ActivIdentity

Is Your Company Ready for a Big Data Breach?

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Cybersecurity. Considerations for the audit committee

The economics of IT risk and reputation

How To Protect Your Data From Hackers

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

Law Firm Cyber Security & Compliance Risks

Perspectives on Cybersecurity and Its Legal Implications

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group

Information Technology Risk Management

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Chapter 1 The Scope of Corporate Finance

Project Evolution & Estimation :cash flow forecasting, cost benefit evolution techniques, risk evolution, Cost benefit analysis

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

Cybersecurity Strategic Consulting

Security Training Why It Benefits Your Organization and How to Make Your Case to Management

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Understanding the Cyber Risk Insurance and Remediation Services Marketplace:

Cyber Range Training Services

Cyber security Building confidence in your digital future

Data Security: Fight Insider Threats & Protect Your Sensitive Data

How To Protect Your Network From Attack From A Network Security Threat

How To Buy Nitro Security

State of Security Survey GLOBAL FINDINGS

Data Breach and Senior Living Communities May 29, 2015

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Transcription:

An Executive Brief for Network Security Investments

Implementing network security resilience is one of the few things that you can do that will: Protect company brand value Decrease operational costs Preserve your company valuation Decrease the possibility and potential costs of a security breach Decrease executives risk of personal liability (not covered under the corporate insurance) A financial analysis of a typical network demonstrates that spending on a resilient security architecture is actually an investment, not a cost. While security resilience components can eliminate potential security breach costs, additional value exists in lowering CAPEX and OPEX expenditures and in protecting the company brand valuation. The proper types of security improvements can not only reduce your breach chances, but could reduce the actual costs of a breach that you would otherwise incur. As the following chart shows, this reduction can be as much as 73%. Depending upon the size and scope of a security attack, the alternative could be the following: Remediation costs for a breach can become very expensive and could put the company out of business Brand damage can affect stockholder sentiment for the business, causing stock price fluctuation, negative changes to company valuation, SEC investigations, and regulatory compliance investigations Brand damage that affects the company and leadership Reduce the cost of a breach by 73% 19% 14% Reduced potential fines Reduced lost business costs 10% Aggressive security posture 9% Incident response plan 6% Having business cont. plan 5.5% Reduce MTTR & analysis time 5.0% 4.5% Cyber range training Have a CISO in place Did you know that improving network security is an easy way to protect and increase shareholder value while mitigating corporate risk?

The solution is to invest wisely in your corporate security. When evaluating security architectures, there are essentially four fundamental approaches to network security investments that can offer varying degrees of risk levels: Fundamental Approaches to Network Security Investments Create Varying Degrees of Risk Create Resilient Architecture Incorporate visibility plane / lowest possible risk Create Defensive Architecture Add security products / low to medium risk Meet Regulatory Compliance Minimal prevention / medium to high risk Best Effort Lowest prevention / highest risk Create a resilient architecture: includes breach recognition and prevention by incorporating a visibility plane to create the lowest possible risk Create a defensive architecture: focus is on adding security products, which creates a low to medium risk Meet regulatory compliance: delivers minimal prevention and creates a medium to high risk Best effort: delivers the lowest prevention and creates the highest risk

The preferred approach is a resilient architecture. The goal of the resilient architecture approach is to quickly stop all threats (attacks and breaches) and to recover from those attacks as fast as possible. This approach combines defensive architecture approach components (firewalls, intrusion prevention systems, security processes, etc.) with a visibility architecture (taps, packet brokers, and monitoring tools) and with security resilience components (load testing, effectiveness testing, cyber range training, etc.). The goal of stopping all threats may not always be achievable, but this approach should typically result in fewer breaches and less severe breaches (if they do happen). To be effective, the resilient architecture approach relies on the integrated visibility and security architecture. You can t just purchase a few individual products and hope it stops everything. In financial liability terms, this approach should typically result in a 60% to 80% cost reduction for every security breach, depending upon several factors of course, and it presents the lowest risk option that is possible. If the architecture has been designed correctly, then you should be able to minimize revenue losses and the risk of encountering significant fines (if any). This is because the fee structure for fines typically depends upon the number of records exposed and the due-diligence displayed in trying to make sure that the network is secure. For the C-suite, a breach of the corporate network could translate to concerns of breach of fiduciary responsibility and whether the SEC and FTC might decide that they, the C-suite, did not provide adequate and reasonable fail-safes to avoid the exposure of PII. Issues with the SEC and FTC could even lead to issues with creditors, putting the company in more peril. While most companies will not make the nightly news for security breaches, they are generally accountable to the SEC, FTC, and various other federal, international, local, and state agencies. Neither the CEO nor CFO will enjoy the next board meeting after showing material weakness via breach or audit, as this is a liability issue that can directly impact the company s viability. A solid security and visibility architecture investment will give the CFO and CEO more confidence when reporting to the board of directors about company security and data integrity. As part of this study, we have assigned financial value to network security initiatives to create a solid financial benefit for the capital investment and operational expenses, as well as opportunity costs for inaction. This allows the investment to be judged upon its merits and contribution. However, the fundamental assumption is that the analysis be complete and accurate simply using convenient data won t provide the requisite accuracy. To accomplish this, the financial analysis was constructed as follows: 1. Create a cost/benefit analysis specific to your company 2. Create an NPV business case around that cost/benefit analysis This financial analysis includes anticipated network attack and breach costs along with the typical security product capital expenditures and ongoing operations costs. Breach costs include: remediation, fines, and potential lawsuits regarding the release of customer and employee personally identifiable information (PII), personal and corporate liability, intellectual property loss, and brand damage. The analysis relies heavily on an estimated cost per breach of $5.85M which comes from the Ponemon 2014 Cost of a Breach Study: Global Analysis report. The Ponemon Institute further states that the average annual cost of cyber crime in the United States can be estimated as $12.7M (according to their 2014 Global Report on the Cost of Cyber Crime) and the average time to find the breach was 170 days. The cost/benefit portion of this financial analysis includes the following items: Technology purchase costs (CAPEX) equipment, training, installation, etc. Technology maintenance costs (OPEX) personnel, annual license costs, etc. Return on investment (ROI) expected savings, revenue savings/protection, etc. Other quantify other costs and benefits For an example Fortune 1000 enterprise, the net present value came out to be $11.8M. This included cumulative costs of $25.2M and cumulative benefits of $37.2M, based upon the Ponemon and Ixia research.

Detailed Results Category Initial Year 1 Year 2 Year 3 Basic Security Architecture Costs $1,501,480 $19,840 $19,840 $19,840 Visibility Architecture Costs $259,440 $107,384 $107,384 $107,384 Security Resilience Costs $20,000 $50,000 $50,000 $50,000 Estimated Security Breach Costs - $7,620,000 $7,620,000 $7,620,000 Total Costs $1,780,920 $7,797,224 $7,797,224 $7,797,224 Security Architecture Benefits $8,288,000 $9,307,000 $9,307,000 $9,307,000 Visibility Architecture Benefits - $328,990 $328,990 $328,990 Total Benefits (Present Value) $8,288,000 $9,635,990 $9,635,990 $9,635,990 Interest Rate 2.70% Number of years 3 Cumulative PV $37,195,970 NPV $11,786,721 Rate of Return 49.28% Payback Period (Months) 6.4 Payback Period (Months, Ultra-Conservative) Security Architecture Component Benefit Summary Chart 11.6 An annual breakdown of the financial benefit shows that the contribution can be broken into three categories: Basic (defensive) security architecture contributions $6.413M Visibility architecture contributions = $6.502M Resilient security approach contributions = $5.311M The financial analysis shows that a minimal investment of $1.78M yielded an NPV of $11.8M over three years. Alternatively, the annual cost for a cyber crime in the United States could have resulted in a $12.7M cost to the company. By actually investing in security improvements, this example shows that the company not only reduced the costs of a breach, but also reduced the chances of a breach and improved company value by $11.8M. As an added bonus, the payback period for this investment is only 6.4 months. Even if the book value benefit for a network security investment is eliminated to create an ultra-conservative approach, the payback period for this investment is still less than one year.

Ixia Worldwide Headquarters 26601 Agoura Rd. Calabasas, CA 91302 (Toll Free North America) 1.877.367.4942 (Outside North America) +1.818.871.1800 (Fax) 818.871.1805 www.ixiacom.com Ixia European Headquarters Ixia Technologies Europe Ltd Clarion House, Norreys Drive Maidenhead SL6 4FL United Kingdom Sales +44 1628 408750 (Fax) +44 1628 639916 Ixia Asia Pacific Headquarters 21 Serangoon North Avenue 5 #04-01 Singapore 554864 Sales +65.6332.0125 Fax +65.6332.0127 www.ixiacom.com 915-3532-01 Rev. A, April 2015 Key conclusions reached in this document include the following: You can reduce the $12.7M average annual costs for security breaches by up to 73%. Annual estimated costs are based the Ponemon Institute $5.85M per breach (in the USA) and the probability of experiencing a security breach. A representative example of a $1.8M resilient security investment can result in a net present value (NPV) of $11.8M with a payback period of 6.4 months. Even with an overly conservative approach that neglects any company value for a secure network, the payback period is less than one year. The rate of return on a representative resilient security investment is 49% Resilient security investments can prevent a reduction in company book value by up to 10% of the company s annual sales revenue You can reduce part of your OPEX costs, specifically corporate network mean time to repair (MTTR) intervals, by up to 80% Testing of security products can result in security vendor discounts up to 30%, although the real value is in having the correct vendor information up front to prevent costly decisions You can eliminate potential priority 1 network faults, resulting in average savings of $280K (per potential fault) These conclusions are reached through the combination of a basic security architecture, visibility architecture, and security resilience components. When combined with a life-cycle approach to securing your network, these three components maximize network security benefits while minimizing costs and risk potentials. Very few company investment options that you consider will achieve as fast a payback as a properly designed network security architecture. Conduct your own financial analysis and see for yourself. Note For a full copy of the business justification for network security, please see the full whitepaper An Executive Business Case for Network Security.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information