Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Building a PAM business case: cost-justifying privileged access management projects

mm

Written by Erin Duncan

August 13th, 2019

Most IT or security projects require a formal approval process, and that often includes a written business case. An IT business case document can vary from a simple one-page write-up to a full-blown justification paper with detailed cost and return-on-investment calculations. Many organizations have standard business case templates, but here’s what type of information a business case generally includes:

  • Statement of the problem or opportunity: detail the issue or opportunity
  • Analysis of impact: explain the impact of solving the problem, in terms of both internal and external ramifications
  • Options and possible solutions: describe how you explored the market and/or solutions for this issue with pros and cons of each option
  • Recommended solution: explain what you are recommending and why, including hard costs, soft costs, total cost of ownership, return-on-investment calculations, and how this aligns to corporate or IT department strategy
  • Project proposal: illustrate how you will implement the solution, including timing, technology needs, staff needs, risks and whether they can be mitigated

Determining ROI and TCO

One of the most challenging parts of building a business case is calculating return on investment and total cost of ownership, especially for IT software projects. The simplest formula for return on investment is:

(Savings + income) / costs

It’s an easy formula but the daunting part is determining how you calculate the savings, income and costs. There are a number of considerations when making these calculations:

  • Effect on revenue
  • Effect on costs
  • Effect on productivity (IT and corporate-wide)
  • Effect on product or service delivery (faster time to market or new competitive advantage)
  • Risk of non-compliance (internal and external)
  • Risk of breach or hack (internal and external)
  • Value of IT maturity

There are a variety of templates and tools to help you calculate ROI. We like this option – a short scroll on the page will take you to the downloadable template. Some formulas build in a break-even or payback time period that’s corporate mandated, usually in years.

Another important item for a business case is total cost of ownership. For TCO, you should consider not only software and support costs, but also the cost of infrastructure, professional services, supporting technology, and internal operations to support the project. Read more about this in Thycotic’s TCO document.

ROI for privileged access management (PAM) projects

From Thycotic’s perspective, we want to ensure our customers who are planning to implement a PAM solution see significant ROI from their purchase. Thycotic’s PAM solutions are easy to implement and use. This contributes to operational efficiency across your organization, reduces IT risk and accelerates time to value.

Here are the key points you can use to quantify the impact of adopting a Thycotic solution:  

  • Reducing the risk (and cost) of a security breach
    • According to the 2019 Cost of a Data Breach Study: Global Overview from IBM Security and Ponemon Institute report, the global average cost of a data breach is $3.92 million, up from $3.86 million in 2018. A key finding is that the average total cost of a data breach is 95 percent higher in organizations without security automation deployed; security automation refers to enabling security technologies that augment or replace human intervention in the identification and containment of cyber exploits or breaches. A key part of security automation is PAM, and Gartner estimates, through 2021, organizations with PAM will have a 50% lower risk of being impacted by advanced threats. Other related costs are: termination of business partnerships, bad publicity for your organization, lawsuits from entities whose data was compromised, and loss of trust and revenue from your customers.
  • Process automation to reduce labor costs
    • This calculation can be based on the time that your IT admins spend on tasks that will be automated by the new PAM solution and calculated based on the cost of FTEs (full-time equivalents). Labor costs can be anything from calls to the help desk for help with privileged accounts, to discovering, managing and rotating passwords, to providing detailed reports and audit information to internal and external audiences.
  • Avoiding non-compliance fines and costs
    • Depending on the industry and compliance regulation, fines can vary greatly. You should understand each regulation and the associated fines you can expect for non-compliance, as well as how your PAM solution mitigates risk related to non-compliance.

Writing a business case for an IT project, including a PAM solution, can be a rewarding project where you uncover significant benefit to your organization beyond the obvious monetary gains or savings.

FREE IT Tools

IT Admins: Our collection of free IT tools makes your life easy and your organization safer!

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS


The following two tabs change content below.
mm

Erin Duncan

Erin has almost 20 years of creative and product marketing experience with over 10 years focused on software across a variety of verticals. As Product Marketing Manager at Thycotic, she focuses on marketing strategy, messaging and positioning, and marketing content creation.