Vulnerability management is a hot topic today, and with the increasing number of vulnerabilities and attacks threatening companies, it’s only going to get hotter. However, before you commit to any one solution or approach, you need to know what you’re signing up for—specifically, the total cost of ownership (TCO) compared to the potential return on investment (ROI).

Understanding the TCO of a vulnerability management product

First, let’s outline the costs you can expect when considering a vulnerability management solution:

  1. Direct costs: Expect to pay an annual license fee for the product as a baseline expense. If you need to integrate the solution deeper within your environment, you may need to pay a few additional fees to set that up as well. Last, there may be support costs that come along with the product that you should be aware of.
  2. Training and onboarding: Many solutions will offer (or require) an initial training and onboarding fee to orient you to the application itself as well as help you tailor it to your organization and show you how to get the most out of it given your goals and use cases. This can include installation and deployment costs. Be sure to ask whether there are any other ongoing training fees, either required or optional.
  3. Personnel time cost: The last main cost you’ll be looking at is the hourly cost per employee on the security and development teams to get the solution set up and to monitor or maintain it.

These three main expense categories should be factored into the TCO of the vulnerability management solution you’re evaluating, so be sure to get a clear picture for each prior to signing on the bottom line. It’s also smart to factor in risk, either due to the solution not meeting your needs or if something goes wrong.

Understanding the ROI of a vulnerability management product

Once you’re clear on the costs, you need to decide whether the investment will be worth it. For example, will the solution help your team save time on reporting, scanning, or patching? If any of these tasks can be automated or streamlined, it can cut down on man-hours and people resources, which can net big cost savings.

Many vulnerability management solutions can also cut down on manual efforts to investigate or remediate vulnerabilities, which can be a big driver of ROI. It can also help you avoid incidents altogether, keep your costs down, and keep you out of the news. Over time, you can anticipate additional benefits that your team hasn’t considered yet, such as future use cases that drive ROI.

Real-life example: TCO and ROI of InsightVM

Recently, Forrester conducted a Total Economic Impact study that looked at the actual costs and benefits of using InsightVM, Rapid7’s vulnerability management solution. Forrester interviewed five InsightVM customers who had all used competitor solutions in the past to understand their vulnerability management challenges and how InsightVM helped solve these. They then created a composite organization using the key characteristics of the organizations interviewed and constructed a financial model representative of the interviews using a risk-adjusted model.

Here are the four main benefits they discovered:

1. Decreased manual effort to investigate and remediate vulnerabilities

Forrester found that the companies in this study prior to switching to InsightVM were spending an exorbitant amount of time on investigative and remediation work once a vulnerability was detected. And, with a false positive rate over 20% higher than what they found with InsightVM, they were investing heavily in unnecessary man-hours to invest alerts (some of which were ultimately non-issues). In fact, multiple organizations reported that without InsightVM, they needed nearly twice the number of security professionals to handle this process.

Using InsightVM, false positives were reduced by 22%. Furthermore, investigation and remediation happened 33% faster with the context and action steps provided, resulting in a three-year savings of roughly $397k. In addition, the number of dedicated security team members decreased from five to three, a savings of $132k per employee.

2. Scan and report efficiency gains

Multiple companies reported that their prior vulnerability management solutions missed nodes and endpoints, as well as vulnerabilities themselves, on scheduled scans, requiring team members to conduct manual scans. Furthermore, reporting of the IT stack was tedious and time-consuming.  

After switching to InsightVM and using the Insight agent, customers interviewed ensured that every edge and angle of their environment is scanned and data and reporting are available in near-real-time. With easier report creation, customers experienced 40-50% time saved on reporting activities. Efficiency in both scanning and reporting with InsightVM led to a value gain of $250k over a three year period.  

3. Patching efficiency gains

Although patching is a relatively straightforward process, it needs to be done on a regular basis given today’s frequency of software releases. With InsightVM’s out-of-the-box integrations with patching software like SCCM and BigFix, most of the repetitive patching tasks like information collection, sysadmin requests, and validation were reduced or consolidated. InsightVM reduced manual patching efforts by 60%, which saves companies, on average $188k over three years.

4. Avoidance of potential incidents with upfront risk mitigation

Two of the companies in this study took their scanning and testing best practices a step further with InsightVM by introducing vulnerability testing during the software development lifecycle (SDLC). They found that by introducing testing earlier in the process, it reduced development work by 10% to 15%, eliminated vulnerabilities that could have posed a threat when in production, and significantly reduced the number of employees needed to handle incidents. This netted an overall savings of over $2 million in a three-year period.

If you are interested in seeing how InsightVM can help you achieve similar results, sign up for a free trial or demo today.

The Total Economic Impact™ Of Rapid7 InsightVM, a November 2019 commissioned study conducted by Forrester Consulting on behalf of Rapid7.