This article is part of a VB special issue. Read the full series here: Intelligent Security
Taking a rigorous, data-driven analytical approach to creating a business case for endpoint security delivers the added benefit of uncovering glaring weaknesses in an enterprise network. The goal needs to be greater visibility and control of every endpoint as a threat surface and asset. Complicating that challenge is the mercurially changing nature of machine identities, making a 360-degree view of endpoint security elusive to maintain.
Endpoints are the attack surface of choice for cybercriminals and nation-states who often launch Advanced Persistent Threats (APT) simultaneously at a broad base of endpoints. Their goal is to evade detection, move laterally, install ransomware, exfiltrate valuable customer, employee, and company data, identify systems with the most valuable data. A recent study by Tanium found that 55% of security and risk management leaders estimate that 75% or more of endpoint attacks can’t be stopped. A recent Cybersecurity Insiders report found that 60% of organizations are aware of fewer than 75% of the devices on their network, and only 58% of organizations say they could identify every vulnerable asset in their organization within 24 hours of a critical exploit. It’s taking enterprises an average enterprise 97 days to test and deploy patches to each endpoint.
Benchmark endpoint benefits first
CISOs tell VentureBeat that one of the best actions they took early in the process of creating their business cases for endpoint security was to complete an extensive audit of every endpoint they could locate. There’s a running debate in IT and cybersecurity teams if all endpoints in the world’s largest enterprises are accounted for. In reality, they are not. One leading manufacturer of consumer packaged goods’ CISO told VentureBeat that up to 35% of endpoints, especially those with machine identities, aren’t known today.
A good business case for endpoint security will close that 35% gap and put guardrails in place to ensure it never gets that large again. Quantifying the benefits works best when IT and cybersecurity teams take an audit mindset and delve into each endpoint, and the process they’re relying on today to identify them. Taking this approach often uncovers which endpoints are overloaded with agents, so many that software conflicts render the endpoint just as unprotected as if there were no agents at all. Absolute’s recent 2021 Endpoint Risk Report found that there are on average 11.7 security agents or controls on an average endpoint, creating potential software conflicts. The more security controls per endpoint, the more frequent the collisions and decay, leaving them more vulnerable than before.
Endpoint audits using advanced analytics identify over-configured endpoints and other potential areas that put enterprises at risk of a breach. The shift to the cloud for Endpoint Protection Platforms (EPP) is providing a faster onramp for enterprises looking for endpoint data. Combining anonymized data from their customer base and using Tableau to create a cloud-based real-time dashboard, Absolute’s Remote Work and Distance Learning Center provides a broad benchmark of endpoint security health in aggregate today. The dashboard provides insights into device and data security, device health, device type and device usage and collaboration. It’s a useful reference site for evaluating how the pandemic continues to impact device usage and endpoint security.
Benchmarking the following series of benefits is a good starting point for building a business case:
- Quantify the gains that could be made reducing IT help Desk’s time on endpoint configuration management. It’s a fair assumption to make that reducing the call volume of an IT Help Desk for endpoint configuration requirements can net out at least $45,000 a year. That’s based on the assumption of a call taking 10 minutes and a total time savings of around 1,260 hours every year.
- Reducing asset loss and device write-offs can conservatively save $300,000 a year in a typical enterprise. A primary factor in getting CISOs to commit the time and resources to an endpoint audit is to get in control of this number; it’s the amount of endpoint devices written off every year because they’re lost, stolen or not accounted for. Audits often find up to 40% of endpoints either inoperable, stolen or unallocated over a year. This also becomes a factor driving self-healing endpoints as they often provide real-time status updates on their configurations down to the OS, BIOS and patch levels.
- Audit and identify the cost savings of not having to put secops through file drills and rushed emergency endpoint projects using analytics to track time savings. IT Directors say lack of consistent endpoint security management burns thousands of hours a year and rarely provide the needed visibility and control of endpoints so badly needed in enterprise networks today. Getting to visibility of every endpoint is the goal in this phase of any audit being done in support of a business case. Fortunately there’s a significant amount of innovation going on in this area, with a diverse group of vendors offering solutions. A few of them include Absolute, CrowdStrike, CyCognito, Ivanti, Microsoft Defender for Endpoint and others. IT teams tell VentureBeat that based on their own estimates, approximately 2,500 hours could be saved from firefighting emergency endpoint security problems with a proven EPP platform. Assuming a typical enterprises’ cost structure the 2,500 hour savings would net out $130,000 a year in total savings alone.
- Analytics on endpoint use and condition are table stakes for getting endpoint asset lifecycle planning right. Endpoint platforms need to support analytics to the endpoint level to deliver the data needed for more accurate asset lifecycle projections and financial models. Asset lifecycles are becoming shorter on all endpoint devices, creating the potential for large, unforeseen cost variances enterprises will have to cover if they don’t predict an accurate lifecycle planning figure accurately. Getting this right with analytics and the financial data of how much is invested in endpoints in turn drives Return on Invested Capital (ROIC) and can conservatively save a typical enterprise approximately $140,000 in amortization and depreciation costs alone.
- Analytics improves regulatory and internal audits and can save $67,000 a year in regulatory audit prep time and expense alone. A few of the many regulatory audits enterprises need to be prepared to pass down to the endpoint level include General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS), to name a few.
How much endpoint security will cost
These are the costs most often included in an endpoint security business case:
- Annual and multi-year licensing cost scenarios depending on the vendor. There’s a wide spectrum of pricing models Endpoint Protection Platform (EPP) provides rely on today. One of the market-leading vendors in cloud-based EPP platforms that promise self-healing, autonomous endpoint technology have a range of licensing costs from $750K to over $1.7M.
- ITSM and legacy system integration, customization, implementation and change management costs bundling into professional services is common. Most enterprises want endpoint security integrated across their tech stacks, and CISOs tell VentureBeat the time pay-offs with ITSM integration are worth it. Baseline figures VentureBeat received from EPP vendors are between $40K to over $150K to integrate EPP, ITSM and installed SIEM.
How to define a business case for endpoint security
While the initial goal of creating a business case for investing in endpoint security is to gain funding, the rigor of quantifying the costs and benefits often identifies large gaps in endpoint security coverage and security.
How insightful and rigorous the use of analytics are to identify endpoint security costs and benefits pay off with a more accurate 360-degree view of endpoints for the first time. The audit that organizations do to gain the data needed for the following Return on Investment (ROI) calculation provides for many the first true, quantified view of just what endpoints are actually active and in use or not. It’s also invaluable for capturing the figure of lost endpoints; something CISOs admit to VentureBeat few companies have a 100% visibility into today.
The following is the ROI calculation to define what an enterprise can reasonably expect to achieve on endpoint security investments:
Endpoint Security ROI = (Endpoint Security Benefits – Endpoint Security Costs) / Endpoint Costs x 100.
An insurance and financial services enterprise recently completed an internal audit, and the projected annual benefits of their endpoint security deployment will be $475,000 against a cost of $65,000, yielding a $6.30 net return for every $1 invested.
Lessons learned from enterprises who have successfully created an ROI for endpoint security included the following:
- Start with an endpoint pilot and benchmark costs by phase. Even the most-researched ROI models can vary over time. It’s best to get an initial pilot completed of a series of endpoints then truth-test assumptions of the ROI model with actual financial data. Pilot programs help identify areas where previous approaches to endpoint security left gaps that leave an enterprise more vulnerable than before.
- Analytics are the guardrails every endpoint security strategy needs to stay on track. Selecting an EPP platform or endpoint security solution that includes analytics as part of its baseline is critical to success. It’s a bonus if there are APIs that can be used for gathering data and giving greater flexibility in defining custom metrics and Key Performance Indicators (KPIs).
- Keep C-level sponsors involved beyond go-live with future plans and wins. Too often once an endpoint security project is rolled out, C-level sponsors move onto another project. Getting their buy-in and support for future roadmaps is also key for getting the most value from endpoint security investments over the long-term.
Endpoint security and its future benefits
Defining a business case for endpoint security needs to quantify as many benefits and costs beforehand as possible if it’s going to succeed. The time savings IT teams can realize alone from automating patch management and self-healing endpoints is significant. Add to that having more effective endpoint discovery and asset management data, and the business case becomes an easier decision for C-level executives and in some cases, the board to support.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.