Time and again we hear about the increasing misuse of privileged insider credentials in data breaches. But despite the enormous people, process and technology investments made to mitigate these risks, breaches continue to happen. With the financial impact of each breach so deeply felt many customers are right to demand some calculation on security ROI.
But, determining a return on investment for any security product is a challenging proposition. We find that getting to a security ROI has as much to do with mitigating the downstream effects of certain administrative practices as it does with reducing actual risk. Quantifying that risk reduction, however, is the trickiest part. That’s why the better way to look at risk is through the lens of reducing attack surfaces.
Let’s take a look at two common mechanisms for determining ROI for a privileged password and session management deployment as a way to reduce a breach attack surface.
Mitigating the costs and risks of a data breach
The average cost of a data breach in the US is about $195 per compromised record (Ponemon, 2015), with the average number of records compromised in a data breach in the US roughly 29,000 records. A quick calculation shows that the average cost of a data breach could reach more than $5.6 million dollars. This cost varies by industry, of course. In this example we chose the Ponemon data for calculating impact, although there are other sources available as well.
This is but one data point to show how expensive reactive measures such as forensic investigations, consulting services and legal fees can be, not to mention the distraction and lost productivity, after a data breach has occurred.
An investment in a solution to proactively provide control and accountability over how enterprise passwords are managed (checked in and out), cycled (to prevent stale passwords from being used), and monitored (usage in real time) will shrink the attack surface from the misuse of privileged credentials used in data breaches and stave off some of those reactive costs.
Risk reduction is a hard thing to measure, and you can never eliminate all risk, so you should be looking at reducing the number of attack surfaces instead.
Reducing the costs and inefficiencies of manual processes for password rotation
A second way to look at security ROI is in re-directing high-value assets to more productive purposes. The process of managing and cycling privileged passwords across an enterprise is time-consuming. For example, let's say you have 1 admin responsible for managing 100 systems. She has to rotate the passwords on those assets every 30 days according to policy. It would take several person-hours for her to:
- visit each system's management console
- know the administrator password (or find it if it’s not easily accessible)
- change the password
- note the password in some manual mechanism (which by the way isn't compliant with most industry regulations)
- move on to the next system and repeat
Let's say that exercise takes 10 minutes per system. Multiply that times 100 systems, and you have 1,000 minutes, or roughly just shy of 17 hours over the course of month. That's more than two working days a month to execute this activity on top of the rest of her responsibilities. Every month.
What's 24 working days a year – almost 5 weeks per year! – of an admin's job worth? Assuming a $100,000 salary, 5 weeks is about $10,000.
Privileged password and sessions management solutions help to automate password management and cycling, enabling IT to manage password rotation policy in groups. A very comprehensive discovery exercise finds all passwords and puts them into smart groups to more efficiency manage from a single console.
While no solution is going to eliminate all inefficiencies, re-directing 5 weeks of a talented IT administrator's time back to something value-creating is a positive ROI in any book.
There is no magic bullet for determining ROI, and in the use case of privileged password and session management we’ve provided only a couple perspectives here. We’re interested in how you calculate ROI for security overall or a privileged account management deployment. Share it with us!

Scott Lang, Sr. Director, Product Marketing at BeyondTrust
Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.