Time and again we hear about the increasing misuse of privileged insider credentials in data breaches. But despite the enormous people, process and technology investments made to mitigate these risks, breaches continue to happen. With the financial impact of each breach so deeply felt many customers are right to demand some calculation on security ROI.
But, determining a return on investment for any security product is a challenging proposition. We find that getting to a security ROI has as much to do with mitigating the downstream effects of certain administrative practices as it does with reducing actual risk. Quantifying that risk reduction, however, is the trickiest part. That’s why the better way to look at risk is through the lens of reducing attack surfaces.
Let’s take a look at two common mechanisms for determining ROI for a privileged password and session management deployment as a way to reduce a breach attack surface.
Mitigating the costs and risks of a data breach
The average cost of a data breach in the US is about $195 per compromised record (Ponemon, 2015), with the average number of records compromised in a data breach in the US roughly 29,000 records. A quick calculation shows that the average cost of a data breach could reach more than $5.6 million dollars. This cost varies by industry, of course. In this example we chose the Ponemon data for calculating impact, although there are other sources available as well. This is but one data point to show how expensive reactive measures such as forensic investigations, consulting services and legal fees can be, not to mention the distraction and lost productivity, after a data breach has occurred. An investment in a solution to proactively provide control and accountability over how enterprise passwords are managed (checked in and out), cycled (to prevent stale passwords from being used), and monitored (usage in real time) will shrink the attack surface from the misuse of privileged credentials used in data breaches and stave off some of those reactive costs. Risk reduction is a hard thing to measure, and you can never eliminate all risk, so you should be looking at reducing the number of attack surfaces instead.Reducing the costs and inefficiencies of manual processes for password rotation
A second way to look at security ROI is in re-directing high-value assets to more productive purposes. The process of managing and cycling privileged passwords across an enterprise is time-consuming. For example, let's say you have 1 admin responsible for managing 100 systems. She has to rotate the passwords on those assets every 30 days according to policy. It would take several person-hours for her to:- visit each system's management console
- know the administrator password (or find it if it’s not easily accessible)
- change the password
- note the password in some manual mechanism (which by the way isn't compliant with most industry regulations)
- move on to the next system and repeat
