NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

The ROI of ThreatForce

Demonstrating the ROI of security investments has long been a challenge for SecOps teams. If an organization as a whole doesn’t put emphasis on such an investment the battle to prove its worth is always uphill because most will view it as intangible. We believe this narrative needs to be re-written. Security investments are quite tangible when you put the right light on them. ThreatForce is such a light.

According to the relatively recent Ponemon Study – Costs and Consequences of Gaps in Vulnerability Response, industry benchmarks state that over 400 hours per week (or 10.5 FTEs) are required to work on detection, remediation, documentation, reporting, and coordination between teams. That’s to do the job correctly. Given the resource constraints that most security teams have to face, only a small percentage of companies can boast that they get to spend this amount of time working on vulnerabilities. If you take this stat to your executive team and try to make the case that you need 10.5 total employees for this security function you’ll likely be laughed out of the room. 

Let’s do some simple math here to help change this narrative. Assume on average that one of these security FTE hires commands a salary of 130k a year. Tack on a 1.2x multiplier to factor in benefits. That’s a total FTE invest of $1,638,000 a year for your 10.5 headcount. That is the not-so-small number that will get you laughed out of that room full of executives. However, the sole addition of head count is not the best way to approach this conversation for getting additional critical resources. Nor is it the best way to accomplish this security function. This is where ThreatForce comes in.

A product like ThreatForce provides a robust summary of information related to vulnerability results with correlation and links to:

  • Exploit-DB and Metasploit DB of exploits
  • All related patch links under different vendors covering Linux, Unix, Windows, and mobile OS flavors.
  • Snort and Suricata IDS signatures
  • Correlated DB of malware and exploit kits
  • CWE, CPE, CAPEC and OVAL related links.
  • CVSS score and related components
  • Date published
  • OS
  • Attack vector

AKA ThreatForce makes the job of vulnerability prioritization and management a much leaner and efficient operation. To put it simply, you won’t need the same headcount if a tool like ThreatForce is in play. Combine ThreatForce capabilities with everything else that the UVRM platform can do (ITSM automation, asset discovery, reporting, etc.) and you’re looking at about a 70% reduction in the amount of time necessary to perform all the critical operations expected of a Vulnerability Management team.

Back to our math model. What was originally a necessary $1,638,000 yearly investment into headcount alone, now instead looks like a $491,400 yearly investment for a team the fraction of the size. Factor in the costs of the UVRM/ThreatForce platform (on average $358,000 a year) and your total investment comes out to $849,400, just under half the expense you were originally looking to argue the case for. Now this is just a portion of the ROI case to be made. Once you take into account the amount a typical data breach costs a company and the additional operational efficiencies you get from UVRM/ThreatForce, you start to paint a very ROI positive net return when you invest in such a platform.

To learn more about ThreatForce/UVRM or get the full financial ROI picture, we invite you to schedule a demo with us.

Schedule a Product Demo Today!

See how NopSec's end-to-end Cyber Exposure Management platform can organize your security chaos.