Forrester Consulting
TABLE OF CONTENTS
Executive Summary ................................................................................................................................................................................. 2 Improvement In Vendor Management And Productivity Savings .......................................................................................... 2 Factors Affecting Benefits And Costs ............................................................................................................................................. 5 Disclosures ........................................................................................................................................................................................... 5 TEI Framework And Methodology...................................................................................................................................................... 6 Analysis ...................................................................................................................................................................................................... 7 Interview Highlights .......................................................................................................................................................................... 7 Costs.................................................................................................................................................................................................... 10 Benefits ............................................................................................................................................................................................... 13 Flexibility............................................................................................................................................................................................ 19 Risk...................................................................................................................................................................................................... 20 Financial Summary................................................................................................................................................................................ 22 Symantec Protection Suite Enterprise Edition: Overview.............................................................................................................. 23 Appendix A: Composite Organization Description ....................................................................................................................... 23 Appendix B: Total Economic Impact Overview ............................................................................................................................ 24 Appendix C: Glossary ........................................................................................................................................................................... 25 Appendix D: Endnotes.......................................................................................................................................................................... 26
2011, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to www.forrester.com.
About Forrester Consulting Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a short strategy session to custom projects, Forresters Consulting services connect you directly with research analysts who apply expert insight to your specific business challenges. For more information, visit www.forrester.com/consulting.
Page 1
Forrester Consulting
Executive Summary
In May 2011, Symantec commissioned Forrester Consulting to examine the total economic impact and potential return on investment (ROI) enterprises may realize by deploying Symantec Protection Suite Enterprise Edition. The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of the Symantec Protection Suite Enterprise Edition on their organizations. The organizations interviewed noted that through the use of Symantec Protection Suite Enterprise Edition, they have reduced vendor management costs, improved end user and IT administrative productivity, and enhanced reallocation of IT human resources. In addition, by using Symantec Workflow, they have eliminated repeatable tasks that led to additional IT administrative productivity improvement. The risk-adjusted ROI for our composite company with 750 users (see Interview Highlights section for detailed description of customers) is 152%, with a breakeven point (payback period) after deployment of 15.5 months (see Figure 1).
control threats and manage incidents. However, the lack of integration across these systems required significant day-to-day management to address actual incident response.
After implementation, these organizations identified a number of factors that led to IT and end user savings:
Improvement in the number of malicious spam emails reaching the corporate network and decline in infections caused by users opening infected files or messages. Reduction in infected client devices, including decrease in the initial infections and decline in the spread of an infection to other endpoints. Decrease in network traffic spikes and decline in number of infections resulting from users accessing external malware sites.
The integration offers protection that extends beyond using Web, messaging, and endpoint separately. During the indepth interviews, Forrester used a number of metrics to quantify the financial impact of using Symantec Protection Suite Enterprise Edition. For the analysis, the following metrics were considered:
The difference in staff allocation to vendor management activities before and after consolidation.
Page 2
Forrester Consulting
Improvement in end user downtime. Improvements in IT support efficiency and overall cost of protection.
In addition to the quantified benefits noted above, several organizations noted improvement and leverage in contract negotiations and support escalation as a major factor that played a key role in their investment decision. Depending on industry and extent of a breach, the potential cost of these incidents can easily escalate to millions of dollars. Based on in-depth interviews with four Symantec customers and subsequent financial analysis, we created a composite organization to model the financial impact of this implementation. We estimated the license and support costs for an organization with 750 users (see Interview Highlights section for detailed description of customers). Please note that total benefits and costs are presented as present value (PV) and discounted by 10% (see Framework Assumptions). The net present value (NPV) calculates the difference in cost and benefits. See Appendix A for a description of the composite organization. Numbers are rounded throughout the study. Risk-adjusted ROI, costs, and benefits are illustrated in Table 1.
ROI
NPV
152%
$262,203
Benefits. The composite organization experienced the following benefits that represent those experienced by the
interviewed companies: o Vendor management cost savings. This benefit represents the reduction in management costs associated with running multiple vendors security products. IT productivity cost savings. This benefit represents reduction in help desk administrators efforts when restoring infected users machines. Reduced downtime for end users. This benefit represents improvement in end user productivity when the number of infections is controlled across Web, messaging, and endpoint. Cost avoidance resulting from reallocation of resources. This benefit represents the savings associated with reallocation of headcount. IT productivity gain resulting from Symantec Workflow. This benefit represents the IT productivity gained when using Symantec Workflow solution.
Page 3
Forrester Consulting
Software license fees. This cost represents the investment in Symantec licenses and related annual support fees. Internal implementation costs. This category represents IT resources allocated to discovery, testing, and implementation. Training costs. This category represents training costs at initial implementation and Year 2. Hardware costs. This category represents hardware necessary for implementation.
o o
Initial ($163,926)
$500,000
$400,000
$300,000
$200,000
Costs Benefits
$100,000
Page 4
Forrester Consulting
been another factor resulting from better integration and communication among various IT groups managing endpoint, Web, and messaging.
Using Symantec Workflow capabilities can help the organization eliminate repeatable tasks, which leads to
administrative productivity.
Disclosures
The reader should be aware of the following:
The study is commissioned by Symantec and delivered by the Forrester Consulting group. Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly
advises that readers should use their own estimates within the framework provided in the report to determine the appropriateness of an investment in Symantec Protection Suite Enterprise Edition.
Symantec reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study
and its findings and does not accept changes to the study that contradict Forresters findings or obscure the meaning of the study.
The customer names for the interviews were provided by Symantec.
Page 5
Forrester Consulting
Protection Suite Enterprise Edition and the marketplace for application security.
Interviewed four organizations currently using Symantec Protection Suite Enterprise Edition to obtain data with
populated with the cost and benefit data obtained from the interviews as applied to the composite organization.
Forrester employed four fundamental elements of TEI in modeling Symantec Protection Suite Enterprise Editions service: 1. 2. 3. 4. Costs. Benefits to the entire organization. Flexibility. Risk.
Page 6
Forrester Consulting
Given the increasing sophistication that enterprises have regarding ROI analyses related to IT investments, Forresters TEI methodology serves the purpose of providing a complete picture of the total economic impact of purchase decisions. Please see Appendix B for additional information on the TEI methodology.
Analysis
Interview Highlights
A series of in-depth interviews were conducted for this study, involving IT security managers, an IT director, and a CIO from the following companies: 1. A regional healthcare provider with 400 private beds in six locations. The organization has about 3,000 end users. A financial institution in business and commercial lending. The bank has about 600 employees and more than $600 million in revenue. A municipality with a population of 19,000 residents. The organization has about 2,000 users. A technology solutions provider to midsize organizations.
2.
3. 4.
ensure that there is an equal level of protection across the endpoint, messaging, and Web layer. As users increase their access to information across multiple entry points and are more often working remotely, these organizations find it essential to stop infections and potential threats early before they reach a client machine and expose the enterprise network to potential breach.
Customers interviewed have been using Symantec for many years. Some mentioned that they initiated the vendor
consolidation evaluation program to replace Symantec with a less expensive alternative. However, halfway into the evaluation, they decided to standardize on Symantec. One IT director mentioned that Symantec is more expensive, but it is quite a bit better-quality in comparison to the alternative security solution that we were evaluating. It is also user-friendlier. As another example, a CIO said that their CEO was very forceful initially in encouraging IT to implement another alternative. They hosted an extensive test environment and agreed to deploy the alternative; in less than three months, they decided to discard the entire effort and repurchase Symantec. According to the customer interviewed, the organization had many infections, resulting in downtime and enormous amounts of time spent addressing incidents.
The final point in their decision process was the ability to more quickly identify the threat and rectify it. Most
organizations interviewed said that having the leverage of greater contract value has resulted in faster response from the Symantec support team.
Page 7
Forrester Consulting
In regard to vendor management, all organizations interviewed agreed that they have saved 20% to 40% of their
effort associated with managing multiple security vendors. As a result, these organizations have better leverage when negotiating their contracts with Symantec. Those interviewed agreed that their prior environments with multiple vendor solutions with less integration made those solutions less transparent, but now they receive timely updates and support with their issues. The time they spend on communication and coordination across IT teams has significantly decreased because the systems are better aligned.
Regardless of their industry or size of their organization, interviewees believed that the growth and complexity of
todays security threats are stretching IT resources and budgets. Another universal theme was the ability to manage the rapid expansion of threats and sophistication of security management without the need to grow IT staff resources. Organizations interviewed were aiming for new ways to increase the level of protection while maintaining IT costs. The representative organizations agreed that the ability to allocate IT resources to strategic initiatives by reducing the need to physically monitor security incidents was essential when they were evaluating security providers.
Composite Organization
Based on a series of interviews with the four existing Symantec customers, Forrester constructed a TEI framework, a composite company, and an associated ROI analysis that illustrates the areas financially affected. The composite organization that Forrester created represents an organization with 750 end users. The organization had limited IT resources, with only 17 IT professionals on staff, and it was managing multiple security service providers.4 The IT team was spending lots of effort communicating between Web, messaging, and endpoint security providers to ensure that the systems were secure and resources were being effectively used. Prior to consolidation, the ongoing management for messaging, Web, and endpoints consumed total of 15% man-hours per each of the three employees that were managing Web, messaging, and endpoint systems. This consolidation offered better integration across its Web, messaging, and endpoint security; reduced ongoing management efforts for tracking and monitoring security incidents; and provided greater leverage in contract negotiations. The customers interviewed were in highly regulated industries. IT resource allocation also played a role in selecting the best security option that allowed the organization to free up its staff so that they could focus on strategic initiatives.
Framework Assumptions
Table 3 provides the model assumptions that Forrester used in this analysis.
Page 8
Forrester Consulting
A11
$43
A12
$100,000
A13
$48
A14
$62,000
A15
$30
A16
([A6+A7+A8+A9+A10*2]/6)A3
$45
A17
([A7+A10*2]/3)A3
$37
Page 9
Forrester Consulting
The discount rate used in the PV and NPV calculations is 10%, and time horizon used for the financial modeling is three years. Organizations typically use discount rates between 8% and 16% based on their current environment. Readers are urged to consult with their respective companys finance department to determine the most appropriate discount rate to use within their own organizations.
Costs
The costs related to planning, testing, and implementing Symantec Protection Suite Enterprise Edition for the composite organization over a three-year period are based on aggregated findings from the customers interviewed for this TEI study. All costs are based on list prices and do not include any negotiated discounts. The following cost model can serve as a framework for readers.
Implementation Costs
The implementation costs include the internal resources required to plan, negotiate, test, and deploy the solution. This category represents 21% of the overall investment. The roles involved in this phase include security operation, IT management, desktop engineers, and the security infrastructure and architecture team. We estimated that these individuals contributed 80 hours each to the discovery and analysis phase, at an average fully loaded hourly rate of $45.5 Our interviewed customers said that they had spent, on average, several weeks on planning and testing before deployment to ensure that the business owners and IT were in full agreement. During the deployment phase, security operation and desktop engineers contributed 20 hours per week for six weeks to deploy the solution across the organization. This preparation resulted in successful implementations for the companies that we interviewed; they met
Page 10
Forrester Consulting
their service-level agreements and provided better availability to their internal and external users. Table 5 provides the calculations for this section.
Training Costs
The training is the next component of cost and presents approximately 11% of the overall investment for the composite organization. Customers interviewed attended Symantec training sessions twice during the three-year investment period. Table 6 presents the calculation.
Page 11
Forrester Consulting
Hardware Costs
Another category of cost is the investment in hardware, which represents 19% of the overall investment. Some of the organizations interviewed had to purchase additional hardware, as their security vendor consolidation coincided with their hardware refresh and upgrade cycle. These organizations were able to attribute some of their hardware investment to this consolidation. For the composite organization, we attribute the investment of four servers at a cost of $8,000 per server to this investment. This investment could vary depending on the organizations infrastructure and virtualization strategy. The organizations interviewed did not cite any challenges with virtualization of their messaging and Web gateways. Table 7 presents this calculation based on implementing four physical servers.
Total Costs
Table 8 summarizes costs associated with the implementation of Symantec Protection Suite Enterprise Edition. Figure 3 illustrates the breakdown of costs.
Year 1
Year 2
Year 3
($10,000)
($20,000) ($32,000)
($10,000)
($170,920)
Page 12
Forrester Consulting
Hardwarecosts 19%
Trainingfees 11%
Benefits
The benefits for which we had sufficient data to quantify financially are operational savings and productivity gains. There are five quantifiable benefits that represented a three-year risk-adjusted PV of $434,476. These benefits include vendor management cost savings, IT productivity gains, reduced downtime for end users, and cost avoidance from reallocation of resources. We also quantified a benefit based on the feedback from interviewees who deployed the Symantec Workflow solution. While there are many ways for organizations to automate their processes using Symantec Workflow, we have created the TEI framework to offer some guidance to quantify this benefit.
Page 13
Forrester Consulting
IT Productivity Gains
The interviewed customers estimated that when an organization proactively maintains its security infrastructure and ensures that the clients and servers have the patches necessary, the organization can see between 70% and 80% reduction in the number of security incidents annually. This means 70% to 80% of all malware can get stopped at the gateway and never reaches inside the corporate network. This improvement results in:
Reduction in the direct costs of protection because IT staff dont need to reactively seek a solution. A decline in the number of infected machines resulting from a security incident. A decrease in the number of calls to the tier one support team resulting from a security infection.
The combination of these activities reduced total IT man-hours spent per machine by 80%. In the prior environment, these organizations were forced to escalate troubleshooting to tier one support. Therefore, these expensive resources were spending hours or maybe days trying to rectify security issues. Interviewees agreed that, compared with their prior environment, Symantec offered better protection as a single component and as a suite. These benefits are captured by tracking the customers environment before and after migration to Symantec. After implementation of Symantec, these organizations identified a number of factors that led to IT and end user savings:
Improvement in the number of malicious spam incidents reaching the corporate network and decline in
Page 14
Forrester Consulting
Reduction in infected client devices, including decrease in the initial infections and decline in the spread of an
malware sites. We estimate that prior to the investment 125 users at the composite organization were infected per year and that it took the organization approximately 8 hours to clean and rebuild each client. After deployment of Symantec, the number of security incidents decreased by 75%. At an hourly fully loaded rate of $30, we estimate the total annual savings to be $16,875 for Year 1 and $22,500 for Years 2 and 3. Table 10 illustrates the calculation. This section represents 11% of the overall gain. The fully loaded hourly rate for IT support for various support tiers may be greater than $30. The increase in the hourly rate of support personnel can increase the benefit and the calculated ROI. Readers should adapt this framework for their organization.
G1
125
G2
75%
G3 G4 G5 Gt
Page 15
Forrester Consulting
According to the interviewed organization, IT often does not have the ability to store spare parts and machines to support users when their systems are being repaired and restored. Therefore, users often remain idle. For the composite organization, we estimate that the number of users infected prior to investment was 125. We estimate that after deployment of Symantec the number of security incidents decreased by 75%. These incidents required 8 hours to rectify at a fully loaded hourly rate of an end user of $48. We calculate the savings of $27,000 in Year 1 and $36,000 in Years 2 and 3. This benefit represents 18% of the overall investment. The organizations interviewed believed that the sophistication of attacks varies for various organizations. For example, a healthcare provider would see a significant number of attacks in search of resalable black-market data such as patient lists and credit card information. Therefore, these productivity benefits for IT and end users are a small but measureable part of the overall savings. Readers should measure the expected risk of loss for their organization.
H2
75%
H3
H4 H5 Ht
Page 16
Forrester Consulting
headcount and have been able to efficiently manage their security environment with existing resources. The ability to proactively monitor security activities allowed these organizations to effectively allocate staff and free up IT security personnel. As a result, these organizations were able to deploy their experienced staff to strategic and innovative initiatives. For the composite organization, we estimated that the average annual fully loaded salary is $62,000 for staff. To remain conservative, we assume that 75% of time is captured in Year 1 and 100% in Year 2 and Year 3. Table 12 illustrates this calculation. This benefit represents 39% of the overall benefit.
Page 17
Forrester Consulting
Total Benefits
Table 14 summarizes the total quantified benefits of standardizing on Symantec Protection Suite Enterprise Edition.
Page 18
Forrester Consulting
ITproductivitygain 11%
Flexibility
Flexibility, as defined by TEI, represents an investment in additional capacity or capability that could be turned into business benefit for some future additional investment. This provides an organization with the right or the ability to engage in future initiatives but not the obligation to do so. There are multiple scenarios in which a customer might choose to implement various components of Symantec Protection Suite Enterprise Edition that it is not being currently used and later realize additional IT and business benefits. Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Appendix B). For this study, organizations interviewed were using majority of the components of Symantec Protection Suite Enterprise Edition. However, for organizations that are looking to investigate the value flexibility, we have created Table 15 to illustrate the metrics used to measure flexibility as described by Forrester. For example, if a customer decides to implement some components of Symantec Protection Suite Enterprise Edition that is not currently being used to drive additional benefits, we can estimate the incremental value driven from the new investment if the following metrics are available: the asset value by measuring the benefits (i.e., costs avoided or saved, revenue generated, and/or capital saved), the costs to acquire the solution, and the number of years to measure the investment. We can estimate the flexibility option by using Black-Scholes option pricing model.
Page 19
Forrester Consulting
Calculation IT or business costs avoided, revenue generated, capital saved Planning and discovery, subscription, and annual maintenance are examples of costs to consider. Time to expire, in years Black-Scholes option pricing model8
Risk
Forrester defines two types of risk associated with this analysis: implementation risk and impact risk. Implementation risk is the risk that a proposed investment in Protection Suite Enterprise Edition may deviate from the original or expected requirements, resulting in higher costs than anticipated. Impact risk refers to the risk that the business or technology needs of the organization may not be met by the investment in Protection Suite Enterprise Edition, resulting in lower overall total benefits. The greater the uncertainty, the wider the potential range of outcomes for cost and benefit estimates. Quantitatively capturing investment and impact risk by directly adjusting the financial estimates results in more meaningful and accurate estimates and a more accurate projection of the ROI. In general, risks affect costs by raising the original estimates, and they affect benefits by reducing the original estimates. The risk-adjusted numbers should be taken as realistic expectations, as they represent the expected values considering risk. The following implementation risks that affect costs are identified as part of this analysis:
Depending on the environment, the implementation may vary for the composite organization. Some
organizations may require additional testing time depending on their infrastructure and the magnitude of the rollout.
Relying on a single vendor to supply different IT security solutions would make the organization more
susceptible to vendor impact. If the vendor fails to maintain the best-of-breed position in any of its technology products, the company will have less flexibility to move to another vendor. The following impact risks that affect benefits are identified as part of the analysis:
Vendor management cost savings may vary due to the number of products being consolidated. Overall IT costs savings may vary from the companies that participated in interviews.
Page 20
Forrester Consulting
Table 16 shows the values used to adjust for risk and uncertainty in the cost and benefit estimates. The TEI model uses a triangular distribution method to calculate risk-adjusted values. To construct the distribution, it is necessary to first estimate the low, most likely, and high values that could occur within the current environment. The risk-adjusted value is the mean of the distribution of those points. Readers are urged to apply their own risk ranges based on their own degree of confidence in the cost and benefit estimates.
Low 98% 100% 98% 98% Low 80% 90% 90% 80% 90%
Most likely 100% 100% 100% 100% Most likely 100% 100% 100% 100% 100%
High 105% 115% 105% 105% High 103% 105% 105% 103% 105%
Mean 101% 105% 101% 101% Mean 94% 98% 98% 94% 98%
Page 21
Forrester Consulting
Financial Summary
The financial results calculated in the Costs and Benefits sections can be used to determine the ROI, NPV, and payback period for the organizations investment in Symantec Protection Suite Enterprise Edition. For the organizations interviewed, several factors have affected the ROI:
Consolidating into a single vendor environment has improved integration and ongoing management tasks. Proactively receiving and accordingly updating security patches has decreased the number of system security
incidents. This is resulting from better integration and communication among various IT groups managing endpoint, Web, and messaging.
Symantec Workflow capabilities can allow organizations to eliminate repeatable tasks, resulting in IT
Table 18 below shows the risk-adjusted ROI, NPV, and payback period values. These values are determined by applying the risk-adjustment values from Table 16 in the Risk section to the cost and benefits numbers in Tables 8 and 14.
Page 22
Forrester Consulting
http://www.symantec.com/content/en/us/enterprise/fact_sheets/bsymc_protection_suite_ent_edition_DS_20024156-3.en-us.pdf
Page 23
Forrester Consulting
Create a better integration across its Web, email, and endpoint with centralized security intelligence backed by
Benefits
Benefits represent the value delivered to the user organization IT and/or business units by the proposed product or project. Often product or project justification exercises focus just on IT cost and cost reduction, leaving little room to analyze the effect of the technology on the entire organization. The TEI methodology and the resulting financial model place equal weight on the measure of benefits and the measure of costs, allowing for a full examination of the effect of the technology on the entire organization. Calculation of benefit estimates involves a clear dialogue with the user organization to understand the specific value that is created. In addition, Forrester also requires that there be a clear line of accountability established between the measurement and justification of benefit estimates after the project has been completed. This ensures that benefit estimates tie back directly to the bottom line.
Costs
Costs represent the investment necessary to capture the value, or benefits, of the proposed project. IT or the business units may incur costs in the form of fully burdened labor, subcontractors, or materials. Costs consider all the investments and expenses necessary to deliver the proposed value. In addition, the cost category within TEI captures any incremental costs over the existing environment for ongoing costs associated with the solution. All costs must be tied to the benefits that are created.
Risk
Risk measures the uncertainty of benefit and cost estimates contained within the investment. Uncertainty is measured in two ways: 1) the likelihood that the cost and benefit estimates will meet the original projections, and 2) the likelihood that the estimates will be measured and tracked over time. TEI applies a probability density function known as triangular distribution to the values entered. At minimum, three values are calculated to estimate the underlying range around each cost and benefit.
Page 24
Forrester Consulting
Flexibility
Within the TEI methodology, direct benefits represent one part of the investment value. While direct benefits can typically be the primary way to justify a project, Forrester believes that organizations should be able to measure the strategic value of an investment. Flexibility represents the value that can be obtained for some future additional investment building on top of the initial investment already made. For instance, an investment in an enterprisewide upgrade of an office productivity suite can potentially increase standardization (to increase efficiency) and reduce licensing costs. However, an embedded collaboration feature may translate to greater worker productivity if activated. The collaboration can only be used with additional investment in training at some future point in time. However, having the ability to capture that benefit has a present value that can be estimated. The flexibility component of TEI captures that value.
Appendix C: Glossary
Discount rate: The interest rate used in cash flow analysis to take into account the time value of money. Although the Federal Reserve Bank sets a discount rate, companies often set a discount rate based on their business and investment environment. Forrester assumes a yearly discount rate of 10% for this analysis. Organizations typically use discount rates between 8% and 16% based on their current environment. Readers are urged to consult their respective organization to determine the most appropriate discount rate to use in their own environment. Net present value (NPV): The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made, unless other projects have higher NPVs. Present value (PV): The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PV of costs and benefits feed into the total net present value of cash flows. Payback period: The breakeven point for an investment. The point in time at which net benefits (benefits minus costs) equal initial investment or cost. Return on investment (ROI): A measure of a projects expected return in percentage terms. ROI is calculated by dividing net benefits (benefits minus costs) by costs.
Page 25
Forrester Consulting
Appendix D: Endnotes
Forrester risk-adjusts the summary financial metrics to take into account the potential uncertainty of the cost and benefit estimates. For more information on risk, please see page 14. This table illustrates the risk-adjusted running totals for costs and benefits to provide a visual view of the breakeven period.
3 2
The intent in the analysis is to understand in detail how organizations justified the investment and measuring value after implementation. Our experience has shown that targeting four customers to do in-depth quantitative interviews allows us to understand the drivers behind a given investment and the impact these investments have on the organization. These interviews give us a chance to understand where there are common drivers, costs, and benefits across the customers interviewed and to provide a compelling story of the impact of the investment. One key distinction around the Forrester TEI process is the use of in-depth interviews versus broader survey-based data collection. Our intent with the interviews is to gain a deep understanding of where customers are receiving value, which a broader survey could not provide. We are not looking for a statistically relevant data sample to construct the ROI but rather a way of understanding how organizations make the case for the investment and the types of metrics and values they use to make that case. The customers interviewed had IT-to-end-user ratio of 42 to 1 to 50 to 1. The 17 IT professionals cited for the composite organization includes total IT staff including management and administrative, and it is not limited to IT security staff. This is an average hourly rate for six different users based on the following roles: email operation, IT management, desktop engineers, and security infrastructure and architecture. The interviewed organizations estimated the following range of fully loaded salaries: $140,000 for IT management, $105,000 for security architecture, $90,000 for email operation plus $100,000 for security operation, and $62,000 for desktop engineers. They are estimated fully loaded salaries and may vary across geographies and sectors. In figure 3, software license fees presents 49.65%, implementation costs is 20.64%, training fees is10.80%, and hardware costs is 18.91%. In double digit format, they add up to 100%. When the decimal points are rounded, because they are greater than .50, the results change to 50%, 21%, 11%, and 19%, respectively. These numbers present a sum of 101%. An IT administrator used to spend 15% of his or her time or 6 hours (40 hours per week times 15%) per week on ongoing management. After consolidation, two of three administrators time can be reallocated to other security initiatives, meaning it reduces time by 6 hours per person on a weekly basis. For two people, this translates to 12 hours or a 30% reduction (12 hours/40 hours per week).
Page 26
Forrester Consulting
For additional information regarding option valuation using Black-Scholes, consider Real Options: Managing Strategic Investment in an Uncertain World (http://www.real-options.com/index.htm). Another source of information is the June 8, 2004, Valuing IT Flexibility Forrester report.
Page 27