Looking at IT security through an ROI lens is a hard sell to make. That’s because you don’t really get credit for not having data lost/stolen or for not having a business disruption. Security is like an insurance policy. You could take the approach of not investing much there, but if something goes wrong which is bound to happen, the business will most likely cease to exist. But if everything is ok, it’s hard to argue a positive ROI.
You can however, put an ROI around how you MANAGE security policy, especially when it comes to managing the deluge of firewall changes. Many organizations struggle with change processes – which is why many go into network freezes during high traffic or high revenue times of the year. It’s because to be successful in today’s business environment, you must be agile. Change is a constant, but too many organizations rely upon manual processes which typically take too long and even still leave some checks and balances to be desired. And the pain only increase with the growing adoption rate of secure web gateways and next-generation firewalls. While greater policy granularity enables organizations to enforce greater control, it also increases the opportunity for change requests to come at a more voluminous and faster pace.
So thinking about how to show ROI from a firewall change management perspective, here are three attributes to look for, all based on automation:
- By automating previously manual processes, you can take the weight off of IT’s shoulders, saving time and resources. And you can significantly improve business agility, which is a competitive advantage in today’s 24x7x365 business environment. Firewall policy management solutions can provide ROI by automatically analyzing the firewall rulesets, the network topology, and your corporate security policy. To put this in numbers, we’ve seen our customers save more than 50% of the time required to process a firewall change – from automatically pinpointing the exact devices that need to be changed, to proactively assessing the risk and designing the change in the most optimal way.
- Our research has shown that as much as 30% of requested firewall changes are not necessary, and many others are implemented incorrectly. So if you can automatically identify and close “already works” requests, and also ensure changes are performed exactly as requested, there is a clear return.
- In today’s highly regulated environment, IT audits are all too common and all too time consuming – whether to address regulatory or internal security requirements. IT typically finds themselves spending significant time ensuring each change is properly documented to address any questions an auditor may have. So if you can maintain a detailed history of every step of every change request, it saves precious time spent trying to go back and “figure it out.”
Automating the firewall change workflow is about more than just reducing risk and improving your security posture – it’s about creating savings that can be put back into the business and enabling the business to be able to adeptly respond to changing requirements. Looking back at this, maybe we should call it ROA… Return on Automation. Algosec has created this ROI calculator to help you identify the opportunity for your organization. Good luck and enjoy!
By Sam Erdheim, Algosec