As a data security company, we talk to a lot of people concerned with keeping their systems and information safe.  Compliance regulations are often the driving force behind our conversations – and these discussions are with people who can be divided into two camps – as either being proactive or reactive.  The proactive group realizes that data breaches are not a matter of if, but when, and on average cost an organization over $7 million.  The reactive segment is often facing a failed security audit or has experienced worse – a data breach because the proper controls were not in place.

Not very often do we have a conversation about the immediate return on investment (ROI) of deploying a security solution.  Patrick Botz of Botz and Associates tells us that not only has he been having plenty of these conversations, he is helping companies save thousands of dollars a year with his SSO stat! service.

If you are a security professional, his name may sound familiar.  Prior to starting his own consulting company, he was the Lead Security Architect at IBM and founder of the IBM Lab Services security consulting team.

By enabling single sign-on (SSO) with the technology that an organization already has, Patrick Botz helps businesses see a return on their investment of his services typically within 2-6 months.  Recently he authored a white paper titled “A Guide to Practical Single Sign-On – The Case for Managed SSO” that takes a real-world look at single sign-on technology and offers a straightforward, sensible approach to SSO.

Rather than SSO being a technology problem, Botz asserts that managing passwords is truly a business problem.  As he writes in his white paper, “The REAL purpose of SSO is to significantly reduce the high cost of managing passwords across the organization.” The ROI can be best illustrated by a story he likes to tell from when he was at IBM:

“At one point, I started tracking the time I spent changing passwords and “recovering” from those changes.  I was very surprised to learn that instead of the 10-15 minutes I thought I was spending, it really was taking, on average, closer to 35-40 minutes! And I was just one of about 300,000 employees! Assuming 30 minutes on average across all employees, four times a year — that equates to 600,000 hours of time! If the average hourly rate per employee is only $20, that’s $1.2 million dollars!  And that’s just for end users!”

While the primary goal of SSO is to reduce the costs associated to managing multiple passwords, it also reduces the risk of a lost or stolen password due to employee negligence.  How often do we hear about confidential information “protected” with:

• Easily guessed passwords
• Written lists of passwords located under keyboards, desk drawers, etc.
• Lists of passwords stored in files on workstations or network drives
• Shared userIDs/passwords

So once an organization decides that they need an SSO solution, what should they consider before deploying one?  In the white paper, Botz discusses the pros and cons of the four technical approaches to SSO, but concludes that two technologies will ultimately do the lion’s share of work (60-80%) for most companies.  For these organizations, eliminating passwords with Kerberos and EIM ends up being the best starting point.

Typically, the extra cost involved in achieving 100% “Single Sign-On Nirvana” is simply not justified by the estimated costs.  Further, as Botz states in his white paper, “It turns out that most businesses get the best ROI by using technology that they already own to eliminate the high cost of managing passwords – over their entire multi-platform network.”  By not needing to invest in any additional technology, an organization is not responsible for any additional software licenses or maintenance fees.

After talking with Patrick Botz and reading his white paper, I am looking forward to using his SSO stat! service at Townsend Security!  For more information on Single Sign-On and how it can save your organization time and resources while increasing security, download his white paper “A Guide to Practical Single Sign-On – The Case for Managed SSO.”