Building a PAM business case: cost-justifying privileged access management projects
Most IT or security projects require a formal approval process, and that often includes a written business case. An IT business case document can vary from a simple one-page write-up to a full-blown justification paper with detailed cost and return-on-investment calculations. Many organizations have standard business case templates, but here’s what type of information a business case generally includes:
- Statement of the problem or opportunity: detail the issue or opportunity
- Analysis of impact: explain the impact of solving the problem, in terms of both internal and external ramifications
- Options and possible solutions: describe how you explored the market and/or solutions for this issue with the pros and cons of each option
- Recommended solution: explain what you are recommending and why, including hard costs, soft costs, the total cost of ownership, return-on-investment calculations, and how this aligns with corporate or IT department strategy
- Project proposal: illustrate how you will implement the solution, including timing, technology needs, staff needs, risks, and whether they can be mitigated
Determining ROI and TCO
One of the most challenging parts of building a business case is calculating return on investment and the total cost of ownership, especially for IT software projects. The simplest formula for return on investment is:
(Savings + income) / costs
It’s an easy formula, but the daunting part is determining how you calculate the savings, income, and costs. There are a number of considerations when making these calculations:
- Effect on revenue
- Effect on costs
- Effect on productivity (IT and corporate-wide)
- Effect on product or service delivery (faster time to market or new competitive advantage)
- Risk of non-compliance (internal and external)
- Risk of breach or hack (internal and external)
- Value of IT maturity
There are a variety of templates and tools to help you calculate ROI. We like this option – a short scroll on that page will take you to the downloadable template. Some formulas build in a break-even or payback time period that’s corporate-mandated, usually in years.
Another important item for a business case is the total cost of ownership. For TCO, you should consider not only software and support costs, but also the cost of infrastructure, professional services, supporting technology, and internal operations to support the project. Read more: PAM Pricing: The Real Cost of PAM Software
ROI for Privileged Access Management (PAM) projects
From Delinea’s perspective, we want to ensure our customers who are planning to implement a PAM solution see significant ROI from their purchase. Delinea’s PAM solutions are easy to implement and use. This contributes to operational efficiency across your organization, reduces IT risk, and accelerates time to value.
Here are the key points you can use to quantify the impact of adopting a Delinea solution:
- Reducing the risk (and cost) of a security breach
According to the 2019 Cost of a Data Breach Study: Global Overview from IBM Security and Ponemon Institute report, the global average cost of a data breach is $3.92 million, up from $3.86 million in 2018. A key finding is that the average total cost of a data breach is 95 percent higher in organizations without security automation deployed; security automation refers to enabling security technologies that augment or replace human intervention in the identification and containment of cyber exploits or breaches.
A key part of security automation is PAM, and Gartner estimates, through 2021, organizations with PAM will have a 50% lower risk of being impacted by advanced threats. Other related costs are termination of business partnerships, bad publicity for your organization, lawsuits from entities whose data was compromised, and loss of trust and revenue from your customers.
- Process automation to reduce labor costs
This calculation can be based on the time that your IT admins spend on tasks that will be automated by the new PAM solution and calculated based on the cost of FTEs (full-time equivalents). Labor costs can be anything from calls to the help desk for help with privileged accounts to discovering, managing, and rotating passwords, to providing detailed reports and audit information to internal and external audiences.
- Avoiding non-compliance fines and costs
Depending on the industry and compliance regulation, fines can vary greatly. You should understand each regulation and the associated fines you can expect for non-compliance, as well as how your PAM solution mitigates risk related to non-compliance.
Writing a business case for an IT project, including a PAM solution, can be a rewarding project where you uncover significant benefits to your organization beyond the obvious monetary gains or savings.