Rezilion’s ROI Calculator Explained
The Challenge of Quantifying Security ROI
One of the most difficult parts of any security program is demonstrating the return on investment for a product or service. Since you’re likely focused on preventing a breach or attack, and showcasing the value in that, addressing ROI can feel like trying to prove a negative. Our ROI calculator overcomes this hurdle by focusing on something much easier to understand – time. Rezilion Validate is designed to eliminate security bottlenecks to innovation by automating and removing as much manual work as possible. This approach saves you time, and that time translates to significant cost savings.
Scoping Your ROI Calculator Results
One of the key considerations for the ROI calculator is that it reflects your organization and your scope of responsibility so that you can take action on it as easily as possible. This is why we start with scoping. The number of vulnerabilities you have to manage is largely based on the rate that new code is pushed, and the number of servers in your environment. Code pushes vary, but the number of developers creating new code is a good estimator for the number of releases and corresponding vulnerabilities. The number of servers is also a good estimator for infrastructure vulnerabilities and how many instances of a unique vulnerability exist in your environment.
The final selection is the most important because we want these results to reflect your scope within your organization. We know that frequently different teams are responsible for vulnerabilities within the application and infrastructure layers. Still, if you’re lucky enough to own both, then we can provide you with results that show significant time and cost savings across both layers.
This leads to one or two input tables that are key to the entire calculation. If you selected “Infrastructure,” you can plug in your latest host and infrastructure scanning results into the table or your best guesses. If you selected “Application,” plug in or estimate the number of critical, high, medium, and low vulnerabilities currently in your queue. If you selected both, the calculator would combine both of these tables for the final results.
Behind the Numbers
After inputting the scope and estimated number of vulnerabilities, you’re likely looking at some pretty staggering numbers. Are you possibly spending that much time on vulnerabilities that pose no risk? Does that wasted effort really add up to that much money? It might seem too good, or bad, to be true, but the results are based on a number of factors.
Based on our own research of publicly available containers, and observed data from hundreds of POCs and customers of every size across industry verticals, we found an average of 70% of identified vulnerabilities are sitting in your backlog, never load to memory and are not exploitable. In an example that hits close to home, we used Validate on ourselves and were able to weed out 88% of vulnerabilities.
Cost and time savings are all built upon the data we observed above and combined with industry average times for patching and industry average hourly costs for the resources you need to patch application and infrastructure. If you’re in a high cost of living area, these numbers are likely on the low end of your potential cost savings range. Time to remediation infrastructure and application vulnerabilities is based on Rezilion Research. Remediation time is calculated based on total vulnerabilities to account for batching remediation of unique vulnerabilities over many systems and applications. To take a deeper dive into ROI calculations and all of the factors to consider, read the Vulnerability Validation ROI Whitepaper.
Rezilion’s goal for all of our products is to eliminate unnecessary work and remove bottlenecks to innovation. Validate does this by focusing your resources on the vulnerabilities that actually pose a risk in your environment. There’s a clear return on investment in time and money that your team can redirect towards reducing risk and delighting your customers, as an added benefit. If you’d like to learn more about how Validate can help your organization, click here to book a demo.