Making the Business Case for Network Security Policy Management: Part 1 of 4

“Return on investment” does not come naturally when evaluating the purchase of security products. The reason for this is fairly simple as you don’t get credit for protecting data or for keeping the business running – you only get the blame if data is lost or stolen, or if business is disrupted.  Security is
like an insurance policy – no one really wants to spend money on it, but it’s something most would agree you HAVE to. How you MANAGE security, however, is different.

The majority of organizations today still manually perform many security management functions and there are methods and solutions out there that can be used to significantly improve security operations AND reduce costs. Automating business processes around firewall policy management provides organizations quantifiable
savings in terms of personnel time, freeing up staff to focus on more
strategic, business-critical tasks. Of course there is always the softer value of improved accuracy, reduced risk, etc. all of which reduce the chance of a data breach or network outage from occurring at your organization.

In this blog series I’d like to examine four security management challenges that many organizations face and make the business case with some hard numbers that prove how network security policy management automation can have a positive return from an operational and financial perspective.

Today, we’ll focus on firewall audits (For more on firewall audit best practices check out my previous blog series Simplifying Firewall Audits and Ensuring Continuous Compliance).

In some of my conversations with customers, I’ve been told that before relying upon a firewall policy management solution, they were spending up to three weeks per firewall to conduct an audit. If your organization has more than a handful of firewalls, this can quickly eat up your IT and security teams’ time. It all depends on your teams’ audit experience as well as how good the firewall policy documentation is – which usually is lacking to say the least. No wonder Forrester Research said that manually conducting a firewall audit is “nearly impossible”.

I’d like to examine how to determine the financial benefit of automating firewall audits. Key information you need to perform this simple math:

• Identify the number of firewalls in your environment
• Determine the amount of time spent manually auditing each firewall
• Determine the average weighted cost of staff responsible for performing the audit

Now that you have this information, you can start to crunch some numbers to understand what you are ultimately spending on each manual firewall audit:

• Multiply the number of firewalls by the number of hours spent auditing each firewall (this tells you the total number of hours spent for an audit of your firewall estate)
• Multiply the weighted cost of staff responsible for performing the audit by the total number of hours spent manually auditing each firewall

Remember, many organizations will go through more than one audit
per year, whether its one requirement that mandates multiple audits per
year (PCI-DSS compliance requires undergoing multiple audits per year),
or whether its multiple regulatory requirements, industry standards
and/or corporate policies.

Now if you automate firewall policy management, you
can reduce the number of hours by as much as 80% (based on our customers’
experiences). If
you assume a minimum of two audits per year, that’s a signficant chunk of savings. Ain’t math grand?!

Obviuously you have to use your own metrics and factor in the cost of the firewall policy management software, but considering we’ve only dissected this from an audit aspect in this blog, there is a lot of financial benefit as well as operational reasons to automate this process.

On Thursday, 9/20 at 11am ET, we will go through more of these examples with real numbers in a 30-minute webcast titled Show Me the Money to help you make the case with your management for automating firewall policy management. We hope to see you there.