Account for Risk in your ROI for Web Application Firewalls

By Renny Shen Earlier this week, we published a new white paper titled, “Weighing Risk Against the Total Cost of a Data Breach,” on Akamai.com. Ordinarily, a white paper wouldn’t be a particularly interesting subject for a blog post, but this one explores a topic that has generated a lot of questions from our customers – how do I financially justify a Web application firewall solution to my management?
We normally get this question from technology people who know that they need a solution to protect their Web applications against bad things like SQL injections, cross-site scripting, or remote file inclusions, but don’t know how to tie that protection to the business goals that their upper management cares about. This question is particularly vexing because a Web application firewall doesn’t follow the same ROI model that our customers are used to using when evaluating a technology solution. A Web application firewall doesn’t increase revenue, productivity, or customer engagement. Nor does it reduce CAPEX or OPEX in a regular, predictable manner.

What a Web application firewall does do is reduce risk. It reduces the risk of a harmful event occurring – in this case, of a data breach that can present a financial cost several orders of magnitude greater than of the solution itself. The white paper dives into all of the different sources that can contribute to that cost and offers a simple (and industry-accepted) formula to estimate it up front.

Does it provide an exact calculation of those costs? No – we’ve found that this is different for every customer and varies between industries, size of organization and region or geography. For example, in the US (and in Europe), the costs are particularly high, while in Asia the costs are more contained but seem to be rising.

Does implementing a solution guarantee that a data breach will never occur? Again, no – Bill Brenner recently made a great post that, while tongue-in-cheek, tried to explain that no security solution is ever 100 percent effective. In addition, we’ve seen that attackers utilize a variety of methods to get past IT defenses, including social engineering tactics like spear phishing, malware installed at the point of sale, as well as exploiting vulnerabilities of Web applications. However, Verizon’s 2014 Data Breach Investigations Report showed that more data breaches went through the Web application in 2013 (35 percent) than any other category, making it the largest risk to organizations and the area that we recommend our customers address first.

What the white paper does is present a method through which you can estimate the financial cost of a business-threatening event against your organization, allowing you to then weigh that against the cost of a solution and the risk that such an event will occur. This can be a great resource to help justify the purchase of a Web application firewall that can help you better protect your data. Because at the end of the day, a Web application firewall is all about reducing the risk and possible financial impact of a data breach, and having a better understanding of the financial impact and a sound method to estimate it upfront can only lead to a more informed decision.

: Account for Risk in your ROI for Web Application Firewalls

    

0