As a matter of principle, I'm not a huge fan of return on investment (ROI) analyses when positioning or marketing security products. The numbers are squishy on a good day, and the reality is security professionals are trying to control downside risk, as opposed to actually provide a "return." But I'm also pragmatic enough to realize that customer CFOs and other bean counters require some type of quantitative analysis before they write a check for much of anything.
As an alternative to ROI, I suggest a better way to praise the economic merits of most security technologies is within the context of "cost avoidance." Since the CFO's job is to make investments that either make money or save money, we can make a compelling case for why a technology like unified threat management (UTM) will help to save money.
Let's break down four different ways to show how UTM can help with cost avoidance. These range from solid to a bit optimistic, but remember that one of our key responsibilities during the sales process is to give the internal customer champions overwhelming data to justify the purchase. The last thing I want is a deal to fall through at the 11th hour because we didn't show "enough" cost avoidance.
UTM is all about collapsing what were three or four different security functions into one device. This is some combination of firewall, VPN, IDS/IPS, gateway antivirus, antispam and/or Web filtering. Many clients already have individual network security devices implemented for each of those functions and are paying three-to-four different vendors for maintenance on all of those products. This is the lowest hanging fruit from a cost avoidance standpoint. Just show the customer how they can eliminate three out of the four maintenance streams by implementing the UTM gear.
I've seen environments where customers have been able to show payback on the equipment within six months, while also showing a 75% reduction on the maintenance outlay. This is a pretty powerful argument, even for the tightest CFO.
#2: Management effort
As compelling a case as reducing maintenance is, let's not forget about improving the staff's efficiency. CFOs and the like are always pushing to do more with less, and UTM provides the ability for an organization to simplify their environment. If the staff doesn't have to deal with multiple products with multiple policies across multiple management consoles, efficiency will undoubtedly increase. The amount of potential savings can be upwards of 30-40%. But your customer's mileage may vary.
One note of caution here: It's important to position the efficiency game as providing more horsepower to do strategic things, as opposed to allowing your customers to reduce headcount. Though it doesn't make sense, a lot of IT managers still are focused on building empires (and the associated large staffs), as opposed to exerting influence. So you don't want to try to sell them anything on the basis of reducing staff, but more on the ability to get to those strategic projects that have been lagging.
#3: Increase security -- increase availability and protect intellectual property
Although not as commonplace, you'll still run into environments where the customer is only using one device (a firewall/VPN, for example), so both the maintenance reduction and efficiency increase arguments won't resonate as much. So at this point, go after tighter security. How does that avoid costs? Glad you asked. You don't try to sell "better security," but rather the business level benefits of better security.
Those tend to be around maintaining system availability and protecting intellectual property. If the IPS capability within the UTM helps to stop an attack, that eliminates downtime. What does downtime cost the company? Again, it's squishy -- but there is a cost. The same goes for intellectual property protection. What is the economic impact of a competitor getting the customer list or a new product spec? A bit squishier to quantify, but some customers are very sensitive to protecting their electronic assets. It's also helpful to bring the discussion back around to business value.
#4: Facilitates the compliance process
Finally, many CFO types continue to be concerned with regulatory compliance. It could be HIPAA for healthcare organizations or GLBA for financials. Increasingly, even mid-sized private businesses are pulled into the fray because of the PCI DSS guidelines that are applicable to any organization that takes payment via credit cards.
The biggest cost involved with compliance is just gathering and packaging up data to show to the auditor. As information needs to be aggregated from three-to-four different devices, an integrated UTM product will streamline that process. In fact, some of the more advanced products provide an option to pull specific compliance-oriented reports directly from the box. Is this a primary driver? Probably not, but it's another nail in the coffin of stand-alone security products.
So what's the catch?
As I've outlined above, there is a clear economic benefit to UTM in most environments. Helping your customer make that case to the finance folks is pretty straightforward. As long as you are sensitive to showing how any productivity gains can be brought to bear on more strategic products, and how ultimately security and compliance efforts can be improved -- UTM will prove to be a no-brainer for many of your customers.
About the author
Mike Rothman is President and Principal Analyst of Security Incite, an independent information security research firm. Having spent over 15 years as an end-user advocate for global enterprises and mid-sized businesses, Mike's role is to educate and stimulate thought-provoking discussion on how information security contributes to core business imperatives. Prior to founding Security Incite, Mike was the first network security analyst at META Group and held executive level positions with CipherTrust, TruSecure, and was a founder of SHYM Technology. Mike is a frequent contributor for TechTarget and a highly regarded speaker on information security topics.