One of the most compelling arguments for a software vendor looking for customers is that by automating or streamlining a business process, the customer can save significant amounts of money. One of the most frustrating parts of working for a security software vendor is that for a pure security product, this argument is often not available. Rather than eliminating or streamlining a process, security products often add work, and only in the interests of avoiding a negative event that it would be impossible to prove would have happened if the security solution wasn’t in place. In short, defensible ROI metrics in security are usually not available.
However, when there’s an existing requirement, like compliance, that forces an organization to do something and your solution can streamline that process, this frustration goes away. Such is the case with database auditing.
Two of the most common objections I’ve seen in the database auditing space are
- “We’re covered with native auditing and a few scripts…and it’s all free.”
- “We don’t do any database auditing.”
Starting in reverse, nearly every compliance regulation focused on data or privacy requires database auditing and nearly every enterprise class organization in the world is subject to several of these regulations. As such, (2) is almost always not true and if the customer takes the time to investigate, they find out that they are doing auditing via a combination of manual processes and built-in auditing tools of their database platform, bringing us back to (1).
As it happens (1) is a very costly way of doing database auditing for compliance, even when the software is free. The components of the cost fall into three buckets: the time needed to manage and process the scripts and data to connect all the dots, the amount of storage needed (built-in auditing implementations tend to record more data than needed) and additional database software and hardware itself (built-in auditing tools are notoriously inefficient, processing-wise).
For most organizations the cost of understanding the issue and implementing an automated solution, or to be a bit pedantic, the opportunity cost, can be a barrier to even investigating the issue. Since this is the bread and butter of Imperva’s database security products, we’ve spent some time analyzing the average return on investment for automating database auditing and it’s nearly 80%...and for enterprises this is usually 80% of a 8 figure number (i.e. $10s of Millions)…which usually easily justifies the opportunity cost. But every organization is different in one way or another, so we’ve built a quick online calculator to give you an estimate of what your organization could save. Check it out.
Posted by Barry Shteiman at 02:56:02 PM