AnchorPoint Security » Blog Archive » ROSI: Easy to Say, Hard to Quantify

ROSI: Easy to Say, Hard to Quantify

  • Curious about ROSI?
  • Debating between outsourced network security and an SIEM program?
  • Trying to do everything yourself?

AnchorPoint Security is here to help.

ROSI stands for “Return on Security Investment”

ROSI has two variables: “total loss reduction” and “solution cost”. Per Infosecurity magazine[1], ROSI can be calculated in a similar fashion as ROI (Return on Investment):

1) Start with the total loss reduction — the monetary amount that your security investment has saved you.

2) Subtract the solution cost from the total loss reduction.

3) Divide this number by the solution cost.

Voila! You have your answer.

Or do you?

The big difference between ROSI and ROI is that a healthy ROI is evidenced by a large number, whereas a strong ROSI results in a low number. The reason for this is that security’s primary concern is minimizing losses, not maximizing profits. ROSI is all about what you’ve avoided, not what you’ve gained[2].

According to [3] (short for the European Network and Information Security Agency), the “monetary value of risk can be estimated by a quantitative risk assessment”. This assessment is made by computing a “single loss expectancy” (SLE), and then the “annual rate of occurrence” (ARO) at which the SLE occurs. Once you have these numbers, you can compute your “annual loss expectancy” (ALE).


“Enough with the acronyms,” you say. “I know exactly how much my security solution costs. I’m still paying for it. Just tell me how I calculate the other half of the ROSI equation – “total loss reduction”.”

Great question. And tricky too. The simple answer is that your “total loss reduction” is your “pre-security solution ALE” minus your “post-security solution ALE”.

But here’s the rub: the latter number is difficult to quantify, for many reasons. And so by most accounts, the number that companies end up using is the result of client surveys and educated guesses. There’s rarely any solid math or data behind it due to numerous and often unquantifiable variables. Not surprisingly, post-security solution ALE (and by extension, ROSI) can be easily manipulated in order to influence a business decision.


In the face of so much uncertainty, globally-renowned security expert Bruce Schneier [4]suggests a “happy medium” (our quotes) approach that we agree with: go ahead and accept an ROSI analysis from a trusted security vendor, but plug in your own numbers/estimates based on your experiences/research and move forward from there. Don’t take anyone’s word as gospel, since the gospel’s tune can change depending on who you talk to.

Say no to a traditional SIEM. Say yes to outsourcing your network security.

Do you know how much your existing network security measures are costing your company? If you’re like most businesses, the answer is no. Nothing personal – that’s just the way it is, and much of it has to do with the difficulty companies have with establishing ROSI. In fact, most companies running a security information and event management (SIEM[5]) program lack a sound understanding of what they’re spending money on and whether their investment is making a difference.


While there may be other scenarios available, most companies choose between a self-managed traditional SIEM network security solution and an outsourced network security solution. Which one is better? Let’s see.

Here’s a summary of the main cost centers inherent to a traditional SIEM program:

  • Initial licensing costs
  • Implementation/optimization costs
  • Ongoing management costs
  • Renewal costs
  • Integration of data sources from disparate security technologies (What, you thought you were getting all of your technology from just one provider? Think again!)
  • Personnel training (includes recruitment fees, two full-time employees, and specialized training)
  • Program expansion

Cloud load balancing ebook

Bear in mind that these are just the main cost centers. Each of these contains myriad smaller tasks which have a separate associated cost. We didn’t detail these because our fingers are sore enough already. The bottom line is that SIEM solutions are expensive and multi-layered to the point of being cumbersome. And it’s no stretch to say that today’s SIEM solutions are so cumbersome and so pricey that they’re unaffordable for most small and mid-market businesses. You can find evidence of this on page 3 of our white paper, Total Cost Comparison for Medium-Sized Businesses and Enterprise Organizations[6], which provides a 1, 3, and 5-year cost projection for an SIEM investment. The numbers aren’t pretty. After a “Year 1” investment of around $550K, companies can expect their total SIEM investment to grow astronomically, reaching $1.5M+ by Year 5.


If you’re one of the dwindling number of small to midsize businesses (SMBs) able to afford an SIEM, chances are you lack the time, resources, and expertise to effectively manage your SIEM. Why? Because most SMBs are too busy managing day-to-day tasks and charting a course for product/service growth.

Here are some eye-opening stats: 50% of all security attacks target businesses with less than 2,500 employees[7]. In other words, SMBs. Only 26% of SMBs have in-house expertise for designing a strong IT security posture[8], and only 44% of SMBs have an adequate budget for funding said strong posture[9]. With these numbers in mind, it’ apparent that SIEM is an unrealistic, unsuccessful path for most SMBs to pursue.

And if you still need convincing, consider this quote from the New York Times: “There is growing recognition (in the network security industry) that there is no silver bullet. Firewalls and antivirus software alone cannot keep hackers out…”[10] To be clear, SIEM won’t you’re your organization hack-proof, either. But Anchor Point Security are experts at decreasing the dwell-time of unauthorized users. Someone might get in, but we’ll find them.

You sound like you know your way around a security program. But what about operating costs? How do yours stack up against a traditional SIEM?

AnchorPoint’s Integrated Threat Response (ITR) yields a more accurate, more measurable ROSI than any traditional SIEM or in-house security operation could ever hope to. Odds are it’s the best solution for your company. Sure, that statement has a lot of swagger to it. But frankly speaking, most IT teams employed by SMBs don’t possess the knowledge we do. We understand the most important network threats, we know how to respond to and defeat these threats, and we understand how to see through and eliminate the many false-positives. We also understand how to deliver measurable operating costs.


Here’s a scenario:

Anna is the CISO of a local credit union. She really likes our offer but she’s not sure if it’s worth the expense. In order to find out, she needs to conduct a cost-benefit-analysis. To get cost, she needs to understand the Total Cost of Ownership (TCO) associated with choosing AnchorPoint Security. In order to get the TCO, one of the biggest things she needs to know are her current labor costs. For Anna, labor cost equates to how much time her Security Analysts spend resolving security tickets. The repetitive task of resolving security tickets can be summed up in one “single unit cost” which is defined as the amount of time a Security Analyst spends resolving one security ticket, multiplied by that employee’s loaded pay rate. When calculating total cost, it’s important not to blow off the loaded piece, since things like benefits, support, and training can more than 50% of an employee’s base salary. All of this helps Anna understand the labor piece of the TCO so she can compare her current costs to our solution’s cost and make an informed decision on whether to work with us.

TCO is often overlooked or underestimated when companies consider a new security implementation. Bear in mind that in addition to labor costs, TCO also includes all of the line-items discussed above on pages 2 and 3. AnchorPoint Security not only helps you understand these costs, we also demonstrate why our security solution is superior in terms of both investment and expertise.


Another key differentiator is visibility. Here’s what IDC[11], one of the world’s foremost market intelligence firms, has to say on the subject: “Many organizations, despite having implemented some of the more standard countermeasures (i.e., firewalls, antivirus, IDS) still do not have visibility across their environment to understand what is happening at any given time.”

You might not have that visibility, but we do. AnchorPoint’s ITR platform is a single platform for simplified and accelerated threat detection, incident response, and policy compliance. Our seasoned team writes correlation rules and directives that are displayed and executed through our uniquely-engineered ITR interface. We leverage a world-class repository of crowd-sourced threat data that provides a continuous view of real-time threats that may have penetrated an SMB’s defenses.


Here’s a snapshot of what our ITR platform delivers (emphasis on what we deliver — not what it costs):


  • SIEM Event Correlation
  • Incident Response


  • Active Network Scanning
  • Passive Network Scanning
  • Asset Inventory
  • Host-based Software Inventory


  • Log Collection
  • Netflow Analysis
  • Service Availability Monitoring


  • Continuous Vulnerability Monitoring
  • Authenticated / Unauthenticated Active Scanning


  • Network IDS
  • Host IDS
  • File Integrity Monitoring

Each bullet represents an integrated, essential security control.

Clearly, we can cover a lot of ground.

Of course, your next question is, “What’s the cost?”

Glad you asked. Remember that long list of SIEM expenses on page two? AnchorPoint pares that meaty menu down to something much more palatable.

We size your network environment and quote a fixed price for one, three, or five years. Payment can be made monthly, quarterly, or annually. Whichever payment route you choose, our services are a predictable expense. You’ll always know what your cost will be.


With AnchorPoint Security, your security solution investment will be significantly lower after five years than with a traditional SIEM. $150K for year one, depending on your network size. A total investment of only $650K by year five. Partner with AnchorPoint Security, a proven network security leader with the clientele and success stories to back up its bravado, and you’ll save almost $1M over the average SIEM solution.

Trust us with your outsourced network security needs and you’ll satisfy your most challenging requirements in a few days. Not weeks or months. Our security tools help achieve swift PCI DSS compliance and improve your network’s security, all with a significant time and cost-savings over a traditional SIEM.


AnchorPoint’s Integrated Threat Response platform is unified, simple, and affordable. It’s a groundbreaking security approach for SMBs. We deliver complete security visibility and world-class global threat intelligence at a budget-friendly price that’s a fraction of the average SIEM’s cost.

So how about it. Ready to enhance your network security?

Contact us today for a free demo!

Cloud load balancing ebook







[6] AnchorPoint white paper

[7] Symantec Internet Security Report 2013

[8] Ponemon, “The Risk of an Uncertain Security Strategy”

[9] Ponemon, “The Risk of an Uncertain Security Strategy”

[10] New York Times, 12.4.14


Topics: Managed Security

Subscribe to Email


Lee Stauss

President & CEO, AnchorPoint Security