How to show ROI for Cyber Security

How to show ROI for Cyber Security

*This article was originally posted on LinkedIn here

Allow me to start with a big elephant in the room… Return On Investment (ROI) in cyber security!

For MOST (not all) companies, cyber security products are not a “money maker/earner”. They “take” money and don’t “make money”.

So how can something which doesn’t make money create an ROI?

This has been a big challenge for many years. Cyber security was mostly a non-proactive sale. To simplify it (or to ‘unpolitical correct’ it ) – before our current era of cyber security, products were not something you bought, it was something you were “forced” into reactively because of something that happened or regulations.

Now, in the current era, many companies finally understand that without cyber security you can’t survive in the technological landscape. You can be the most ‘non-technological’ company. But the way you work and communicate will still be technology-based.

To work out ROI for Cyber Security, it needs to based on Threat Risk. You need to quantify the following vectors for each risk:

  • Market Loss
  • Sale Loss
  • Salary Loss
  • Regulation Loss

You dont Quantify ROI by “how much money the solution will make for you”. You Quantify ROI by “how much money you may lose if you dont use solution X” If the total solution cost is less than the Threat figure (which it is usually) – this is your positive ROI”

Cyber threat is not a question of IF, its a question of WHEN. It has been like that for at least 3-5 years.

Based on the Boardish Methodology which I have created (boardish.io) – the ROI for Cyber Security is based on:

Quantifying the amount of Mitigation that Solution X provides for Threat Y while integrating the complete cost of Solution X.

To simplify: what is the size of the threat? > how much does my solution help to reduce the risk from the threat? > What is the total solution cost? = Does it make sense to buy the solution

Here is an example from the Boardish application sample dashboard (see screenshot below):

The Threat is: Fire-Water Disaster

The Total Threat Loss is: $119.48M

* the total threat loss is calculated by the Boardish Methodology – see our website for more info

The Solution is: VEEAM – Disaster Recovery

The Total Solution Cost is: $29,500 (Includes the IT labour to install and run the solution)

The Solution contribution on-prem: $107.54M, this means that most of the on-prem threat risk is mitigated by the solution.

(The Solution Contribution In-Cloud is zero because for this example VEEAM is not used for Cloud backups, just on-prem.)

 
ROI

So to sum up what the dashboard shows us:

We have a Threat which has a risk figure of almost $120M and we have a solution which cost $29,500 which mitigates MOST of the threat, the ROI for VEEAM against Fire-Water Disaster is crystal clear – it’s a very easy, positive ROI

Our clients, Our board, and our decision-makers need clarity to make decisions. Let’s give them a clear Risk & ROI quantification!

* From my personal experience, VEEAM is one of the easiest products to sell because of this 🙂 and I use it for my own clients. Big and CLEAR threat with relative non-expensive solution.

Eli Migdal – Founder of Boardish

Show ROI On Cyber Security Solutions

Explain why/how your solutions work, to a non-techy audience. 

How to sell “Expensive”​ networking equipment like Cisco Meraki

How to sell "Expensive"​ networking equipment like Cisco Meraki

This post was originally posted on Linkedin by our co-founder Eli Migdal here.

Let’s get it out there from the get-go. Meraki is expensive, more expensive than most Fortinet devices, Ubiquity and such.

This is not an article on “how great Meraki is” (I do love Meraki, but I love Fortinet and others as well) but it’s more about the selling process of “expensive” networking gear to your decision-makers or clients.

From my experience it’s all about the hidden costs.

Networking, particularly for multiple remote locations (like remote sites of your company) has a significant hidden cost factor. Leading to the common question by decision-makers, “how many IT resources does it require?”

  • What IT resources does it require to design and do the initial configuration?
  • What IT resources does it require for ongoing maintenance like configurations and patching?
  • What IT resources does it require when you have a malfunction?

Usually, the classical purchasing / scoping approach will be:

  • Find the vendors who can provide us all of the above requirements
  • Find out who is proving a better technical spec for those requirements
  • and finally who is cheaper to purchase

But the “one-time” purchasing and even the licensing cost is the big “decision-maker” in this case.

When considering networking for remote sites I think we need to first ask ourselves “Which IT resource will we require to configure it, run it, maintain it and fix it when needed.

Then we need to put the geographical element into the picture, it’s 3 remote sites in different locations and time zones, so your IT needs to be able to provide all the necessary IT services across them.

The major cost difference will be in the IT resources and NOT the initial purchasing cost

Let’s take the following Scenario:

Note: I am not addressing the “Cyber Security aspect” of it in this article but mostly the networking functionality.

  • Main HQ site
  • 3 Remote sites in different timezones
  • Most services are cloud-based (like Exchange Online, Virtual Machines) on solutions like AWS, Azure etc.

All remote sites need:

  • Production level WIFI with several segregated SSIDs
  • VOIP
  • Secure access to all cloud-based services via laptops, desktops, and mobile (VPNs, etc.)
  • SD-WAN is required to optimize the bandwidth expenses and prioritize business-critical devices.

It would look a little something like this:

Site Diagram

 

So now let’s ‘sell’ the Meraki unique advantages:

Meraki in my point of view really did a game changer move when they pushed enterprise-grade hardware (at least in most functions) that is “cloud plug & play”, specific features like:

  • Central Web Management for MOST of the functions without the need for separate “cloud devices”. You can manage almost everything in one web-based ( and APP) control panel
  • Most of the devices are pure ‘plug & play’. They will “take” the configurations from the cloud. A perfect example is with access points, you configure all the networking, SSID, routing in your web portal and order the Access point to be delivered to your remote site. When the local person plugs it in, it will download all the required configurations and will start working – “just like that”.
  • The ability to configure VPN site to site with several clicks (both between Meraki devices and between Meraki to Cloud)
  • Proactive approach to networking issues. Usually when you go “full Meraki” – a Firewall > Switch > Access points, the Meraki system is “aware” and most WIFI issues, IP duplication, Networking loops will be automatically corrected while the system notifies you.

So how does the above help with the sales process? – It reduces the IT expenses by at least 50% from my experience when comparing to, for example, Fortinet solutions.

Just imagine the scenario of sending a “non-plug & play” access point to a remote site. You will need to pre-configure it and make sure you got everything 100% right OR ELSE you have no connectivity and you will be required to use local IT resources (more costs).

* I personally think that Fortinet is more secure and has much more flexibility but they are much more “Resource heavy” to deploy globally. I will do an additional article on how to quantify security efficiency.

But to make the sales process efficient we need to quantify the labour cost for design, initial configuration, installation, maintaining and fixing.

Doing this gives us the true cost of solutions allowing a more accurate comparison with others. Giving you more options and leverage when selling to the board.

Using www.Boardish.io to help us quantify the exact annual labour cost we can see that:

  • 20 hours of a Cyber Security expert for the initial design
  • 48 hours of 3rd Level IT
  • 96 hours of 1st level IT

Based on average hourly costs we have labour cost of 15K annually. From my experience, and quantifying other networking equipment, this is one of the lowest labour intensive gear long-term.

 
Costs

In Summary:

To sell ‘expensive’ networking equipment, like Meraki you should be showing the hidden costs, IT resources (Labour costs), thinking from the decision-maker’s perspective on what they are trying to achieve and how it helps them get there.

In many cases, ‘cheaper’ equipment is actually much more expensive than initial purchasing cost. And Boardish can help you show them why with actual figures.

Last note on Meraki – I LOVE Meraki equipment due to all the reasons above and for those exact reasons I “hated” the “Legacy” CISCO devices!… I think CISCO did a very smart move of purchasing Meraki and giving us the ability to finally LOVE CISCO products.

Eli Migdal

Co-Founder of Boardish.

Sell Cyber Solutions

Explain why/how your solutions work, to a non-techy audience.