Data Loss Prevention, Endpoint Security, Endpoint
Transcription
Data Loss Prevention, Endpoint Security, Endpoint
Business Value Analysis Study TM Data Loss Prevention, Endpoint Security, Endpoint Management, and IT Service Management Underwritten by Research and Analysis Conducted by Contents Executive Summary 4 Overview Barriers The Solution Benefits 4 4 4 4 Provide Great Customer Experience Minimize Operating Costs Consolidate Vendor Base Reduce Complexity Secure the Corporate Infrastructure Protect Sensitive Customer Information Chart 1. Average Estimated Cost of Data Breach per Customer Record Comply with Regulations 5 5 6 6 6 6 6 7 Protect Sensitive Data in Motion Centralize and Standardize IT Operations Identify and Track IT Assets Deploy State-of-the-Art Security Streamline Deployment of Software Enforce Email Retention Policy 7 7 8 8 8 8 Action Plan and Decision Process Implementation Approach and Timetable Deploy Data Loss Prevention Software Automate Tracking of Assets Automate Software Deployment Upgrade Endpoint Security Deploy Email Archiving Software 24 Hour Fitness Network Architecture IT Evolution of 24 Hour Fitness 9 9 9 9 10 10 10 11 12 Asset Reporting Labor Productivity Gains and Cost Avoidance Chart 2. IT Labor Productivity Gains and License Cost Avoidance Due to Asset Reporting Software Package Deployment Labor Productivity Gains Chart 3. IT and Employee Labor Productivity Gains Due to Software Package Deployment Software Image Deployment Labor Productivity Gains Chart 4. IT Labor Productivity Gains Due to Software Image Deployment PCI Compliance Labor Productivity Gains and Cost Avoidance Chart 5. Fine Avoidance Cost Savings and IT Labor Productivity Gains Due to DLP Events 12 12 13 13 13 14 14 15 About 24 Hour Fitness Business Drivers 5 5 Technology Challenges IT Transformation 9 Business Value Analysis 12 Conclusion Notes Business Value Analysis 7 © 2010 15 15 The Alchemy Solutions Group. All Rights Reserved Greg Malacane, Director, Research & Publishing [email protected] Page 3 Executive Summary Overview 24 Hour Fitness is an industry pioneer widely credited with introducing key innovations to the health club market. The clubs were the first to stay open 24 hours a day and to spearhead the concept of month-tomonth gym memberships. The original club in the chain opened in 1983 in San Leandro, California. The firm grew steadily and, in 1996, Family Fitness and 24 Hour Nautilus merged to form 24 Hour Fitness. In 2005, the now global company was sold to New York-based private equity firm Forstmann Little & Co. for $1.6 billion. Carl C. Liebert III joined the company as chief executive officer in October 2006. 24 Hour Fitness is headquartered in San Ramon, California, with its primary data center located in Carlsbad, California. Barriers The information technology (IT) staff at 24 Hour Fitness faced a number of technology challenges. First and foremost, the customer experience at the club level depended on the responsiveness and availability of the IT infrastructure. The company had to protect against disclosure of sensitive credit card and personal information that could subject the company to regulatory fines and brand damage. 24 Hour Fitness lacked a comprehensive and cost-effective method of tracking and deploying IT assets, including software licenses. The Solution In response to these technology challenges, 24 Hour Fitness moved aggressively to transform its IT infrastructure. To make this happen, the IT team deployed a number of Symantec software products, including Altiris Client Management Suite to identify and track assets and speed the deployment of software programs and images; Altiris Asset Management Suite to monitor software licensing and avoid unnecessary purchases; Symantec Endpoint Protection to secure the corporate infrastructure from malware and other attacks; and Symantec Data Loss Prevention to protect against accidental or malicious release of sensitive customer information. Benefits A Total Operational and Economic Impact (TOEI)™ analysis by The Alchemy Solutions Group found that Symantec software has produced tangible business value for 24 Hour Fitness. Actual and projected savings totaling $5.4 million from March 2008 through December 2010 were found in the following areas: • Asset Reporting Labor Productivity Gains and Cost Avoidance: $88,474 in labor productivity gains and cost savings by avoiding unnecessary software license purchases • Software Package Deployment Labor Productivity Gains: $2,173,919 in labor productivity gains due to increased efficiency of deploying software packages • Software Image Deployment Labor Productivity Gains: $775,859 in labor productivity gains due to increased efficiency of deploying images to fitness club terminals • Payment Card Industry (PCI) Compliance Labor Productivity Gains and Cost Avoidance: $2,613,464 in IT staff productivity gains and cost savings by avoiding PCI fines Business Value Analysis Page 4 © 2010 The Alchemy Solutions Group. All Rights Reserved About 24 Hour Fitness Fitness is big business in the United States, and no one is bigger than 24 Hour Fitness. In just over a quarter-century of operation, the company boasts more than three million members—the largest membership of any fitness club chain. 24 Hour Fitness operates more than 425 clubs in 16 states, and is expanding into Asia with 25 clubs under the “What is the 24 Hour Fitness value California Fitness brand. proposition? We offer great value at a lower price in the industry for the amenities that we provide. We care about families—on-site child care is available at most of our clubs. And 24 Hour Fitness is convenient—there’s probably a club close to your work or home.” Tim Segneri Vice President, Operations and Technology Management 24 Hour Fitness Fact File: 24 Hour Fitness Founded – 1983 in San Leandro, California Headquarters – San Ramon, California Ownership – Privately owned by Forstmann Little & Co Industry – Fitness and health Market – North America Full-time Employees – 20,000 Website – www.24HourFitness.com As noted above, 24 Hour Fitness led the industry by letting members work out at any time, day or night, and avoid having to sign long-term contracts. In 2008, 24 Hour Fitness expanded into New York City by partnering with Yankees’ all-star Derek Jeter to open clubs in Manhattan. Jeter joins a list of superstar athletes and celebrities, including Lance Armstrong, Shaquille O’Neal, Andre Agassi, Magic Johnson, Jackie Chan, and Yao Ming who are helping to open co-branded 24 Hour Fitness clubs around the world. 24 Hour Fitness also partnered with NBC’s popular reality TV show, “The Biggest Loser,” for the last five seasons. Bill Donohue, 24 Hour Fitness’s chief information officer (CIO), joined the company in February 1999 as director of operations. A 20-year veteran of the U.S. Marine Corps, he oversees a 120-person IT staff that is responsible for application development, business systems engineering, data center operations, network operations, security, and service desks. One of Donohue’s main lieutenants is Tim Segneri. Also a Marine Corps vet, he came to 24 Hour Fitness in 2001 from Computer Science Corporation. Segneri rose through the ranks to his current position as vice president of operations and technology management. He has direct operational responsibility for the 24 Hour Fitness IT operations and is a key decision maker for new purchases. Business Drivers 24 Hour Fitness has staked out a position as a top operator of fitness clubs and aims to build on that success. This involves aligning every functional group in the corporate structure—IT included—to a series of overriding objectives. Provide Great Customer Experience In the fitness market, success begins with the customer experience—starting from when a customer walks in the door. For prospective members, the club staff must provide timely and accurate pricing and service information, and enroll new members efficiently and quickly. For current members, the checkin process must be fast and easy, billing must be accurate and transparent, and the process for service changes must be smooth. All of these operations ultimately depend on the availability and responsiveness of the organization’s IT infrastructure. Minimize Operating Costs To succeed in a highly competitive marketplace, 24 Hour Fitness must tightly manage its cost structure. As such, IT must limit its spending to 2 percent of corporate revenues. The IT team organization beats this target by keeping permanent IT staff levels lean and using targeted outsourcing engagements for specific, well-defined tasks. Minimizing training costs and managing vendor relationships are additional vital elements in ensuring that the IT staff is contributing to a healthy competitive profile and bottom-line results. Business Value Analysis © 2010 The Alchemy Solutions Group. All Rights Reserved Page 5 Consolidate Vendor Base Having too many vendors can negatively impact both cost and operational complexity in areas such as purchasing, training, and interoperability. 24 Hour Fitness has chosen to build strong working relationships with strategic vendors, including IBM for servers; NetApp for storage; and Symantec for security, compliance, and endpoint management. While this approach reduces expenses and complications, it does raise the possibility of “price creep” for key infrastructure components. The challenge for 24 Hour Fitness is to enter into agreements with top-tier “We continue to drive costs down by the vendors that contain costs and do not require constant procurement cycles, strategic way that we use our vendors. We which can add to overhead. work very closely with a small set of vendors who do a big chunk of work for us every year. Reduce Complexity They’ve become part and parcel of the whole Providing IT services to more than 425 clubs and 20,000 employees across operation.” the United States is a daunting task for the 24 Hour Fitness IT team, which must strive to keep the infrastructure as simple and as consistent as possible. Tim Segneri Every major change to the IT system must be evaluated for the impact it will Vice President, Operations and have on the company’s operations. The 24 Hour Fitness IT team is obsessed Technology Management with finding ways to standardize and consolidate operations to drive additional 24 Hour Fitness time and cost savings. “Our stored data is not only a valuable asset to our business, but also a potentially ripe target for someone who wanted to do us harm or to profit from the theft of that data. So data protection is absolutely job one.” Tim Segneri Vice President, Operations and Technology Management 24 Hour Fitness Secure the Corporate Infrastructure With more than 4,000 personal computers in its architecture, 24 Hour Fitness must be dedicated to endpoint security. The risks of a malware outbreak that could disrupt club operations or of a targeted hacker attack aimed at shutting down the entire data center are ever present. With its geographically dispersed operations—all connected to headquarters—there is no room for error: a breach at any location could affect the entire company. Protect Sensitive Customer Information The 24 Hour Fitness brand is widely recognized, admired, and trusted—and constitutes a valuable corporate asset. That asset could suffer significant damage if sensitive customer information is leaked and publicized. All of 24 Hour Fitness’s three million members depend on the firm to secure contact information, credit card numbers, bank accounts, and other personal information. Protecting the company’s data is a top priority for the IT staff. (Chart 1 shows the average cost per customer record if a data breach occurs.1) Chart 1. Average Estimated Cost of Data Breach per Customer Record Business Value Analysis Page 6 © 2010 The Alchemy Solutions Group. All Rights Reserved Comply with Regulations Much of 24 Hour Fitness’s revenue is realized through credit card transactions, subjecting it to the Payment Card Industry Data Security Standard, commonly known as PCI. Noncompliance with PCI exposes the company to fines or even the loss of the ability to process credit card payments, an unthinkable risk for 24 Hour Fitness. And if you work with a personal trainer at 24 Hour Fitness, your weight and body measurements are in the database, which means the company is also subject to the provisions of the Health Insurance Portability and Accountability Act (HIPAA). As a privately held company, 24 Hour Fitness is not compelled to meet Sarbanes–Oxley (SOX) Act standards, which is an expensive and time-consuming requirement for publicly held companies. However, the corporation’s board of directors has charged the IT group to work toward SOX compliance, considering it a best practice for corporate governance. Technology Challenges The 24 Hour Fitness IT team assessed the key technology challenges facing them in light of the business imperatives of the corporation. These involved protecting sensitive information, streamlining a number of IT operations, managing compliance, and facilitating every employee’s ability to offer superior customer service. Protect Sensitive Data in Motion With a centralized architecture, 24 Hour Fitness has a good understanding of where its most sensitive data—for example, card credit information—is stored. However, when that data is in motion, protecting it becomes much more difficult. For example, even well-meaning employees can jeopardize security by inadvertently sending sensitive information by email. Some organizations resort to end-to-end encryption to guarantee full protection, but that can be an expensive fix as well as a performance inhibitor. To defend against loss of customer information and ensure PCI compliance, 24 Hour Fitness needed a solution that would alert the security team whenever sensitive information was included in an outgoing email. The team could then take preventive action as well as educate the offending employees to avert further lapses in protecting the company’s vital information. Centralize and Standardize IT Operations Placing a premium on cost control and complexity reduction, 24 Hour Fitness decided more than 12 years ago to implement a data center-centric architecture. Individual clubs are outfitted with dumb terminals and all applications are accessed through a Web browser. Applications, data, and computing resources are located in the corporate data center in Carlsbad, California. Furthermore, 24 Hour Fitness maintains a highly professional help desk operation, including its own repair capabilities and parts warehouse. IT personnel are located in Carlsbad and at corporate headquarters in San Ramon, California. Centralization is not without challenges of its own. The network becomes critical to the company’s operations, requiring careful bandwidth management. With no IT staff at club locations, all local software upgrades and patches must be performed remotely, a potential bandwidth and management nightmare. Even though the company’s data is stored centrally and securely in Carlsbad, the data itself is still in motion throughout the corporate network, creating possible security risks. Business Value Analysis © 2010 The Alchemy Solutions Group. All Rights Reserved Page 7 Identify and Track IT Assets Maintaining an accurate and complete inventory of corporate IT assets, from terminals to software licenses, is central to effective cost containment. To address the hardware side, 24 Hour Fitness performed a yearly physical inventory. This annual exercise was expensive and lacked the level of accuracy required by corporate management. 24 Hour Fitness needed a better, more automated method of tracking hardware assets. Because the individual clubs access applications through a Web browser, the number of software licenses in the field is relatively small. Staff in corporate headquarters and regional offices—what 24 Hour Fitness calls “above-club” personnel—is another story. These 2,500 employees use desktop and laptop computers, and those computers require individual licenses for applications such as Adobe Acrobat, Microsoft Office, and Microsoft Visio. The corporate IT team suspected that they were overbuying licenses—purchasing new ones only because existing unused licenses were impossible to locate and deploy. The 24 Hour Fitness IT team estimated losing thousands of dollars annually and was determined to eliminate this unnecessary cost. Deploy State-of-the-Art Security At the club level, 24 Hour Fitness is looking to biometrics as a way to streamline the member check-in process, reduce the cost of printing cards, and prevent fraudulent membership sharing. The company is running a pilot program using the member’s fingerprint as a unique identifier. The early response has been overwhelmingly positive. Most club employees access IT services using a locked-down dumb terminal, effectively limiting the security risks. However, club managers and employees at regional offices and company headquarters have general-purpose personal computers that could be points of entry for malware—Trojans, viruses, worms, and spyware. Securing these endpoints became a high priority for 24 Hour Fitness to ensure compliance and protect valuable data. “Using Altiris Client Management Suite has allowed us to reinvent the architecture of our retail locations. We can react quicker to our customers and stretch our limited IT resources to manage a larger number of endpoints.” Scott Clement Manager of Systems Engineering 24 Hour Fitness Streamline Deployment of Software To maintain a high level of productivity, 24 Hour Fitness periodically updates the software on the 2,500 laptops and desktops used by above-club personnel. But installing new or updated software components on so many machines in multiple locations is an IT headache. For example, manually rolling out the new version of Microsoft Word to 2,500 PCs would be a major project, consuming thousands of hours of IT staff time. 24 Hour Fitness needed to automate this task both to save IT costs and to increase end-user productivity. Enforce Email Retention Policy Most of 24 Hour Fitness’s 20,000 employees do not have email accounts. However, the company still maintains 4,000 accounts for club managers and department heads as well as for staff at regional and central headquarters. As a general policy, 24 Hour Fitness has adopted a strict 90-day retention limit for email messages. However, regulatory compliance and legal actions require that some emails be retained essentially indefinitely. The 24 Hour Fitness legal staff identified a core number of around 130 executives whose emails need to be archived. The corporate IT team must ensure that this requirement is carried out in a way that is secure and reliable to protect the company from regulatory fines and adverse judgments in lawsuits. Business Value Analysis Page 8 © 2010 The Alchemy Solutions Group. All Rights Reserved IT Transformation Action Plan and Decision Process In 2007, 24 Hour Fitness already was using Symantec AntiVirus and Symantec NetBackup. As part of its vendor consolidation initiative, 24 Hour Fitness discussed with Symantec ways to solidify their relationship and work more strategically. In early 2008, 24 Hour Fitness entered into a Symantec Licensing Program called Symantec Enterprise Options. This program provides preferential, predictable pricing; license tracking; and renewal management for major Symantec software, including the following components: • • • • • • Altiris Client Management Suite Altiris Asset Management Suite Symantec Endpoint Protection Symantec Data Loss Prevention Symantec Enterprise Vault Other Symantec data protection and storage management software Symantec Enterprise Options also provided 24 Hour Fitness with access to a menu of needed services, such as Symantec consulting, education, and essential support capabilities. Implementation Approach and Timetable With the Symantec Enterprise Options agreement in place, 24 Hour Fitness launched a series of upgrades to address the key technology challenges described earlier by implementing solutions using Symantec software products. “By implementing Symantec Data Loss Prevention, we’ve found immediate benefits in identifying users who need training about our security policies. In just over a year, we’ve significantly reduced violations.” Deploy Data Loss Prevention Software In March 2008, 24 Hour Fitness moved to get control of its data in motion by deploying Symantec Data Loss Prevention. The product’s Network Monitor inspects outbound network communications for confidential data and accurately identifies data security policy violations. Symantec Data Loss Prevention creates a series of reports that identify incidents by department and information type; for example, check routing numbers, credit card numbers, and membership pricing plans. These detailed reports enable the 24 Hour Fitness security staff to qualify and quantify the risk of data loss and take remedial action before the corporation sustains significant damage. In addition, the security team became aware of several more internal groups that were accepting credit cards, offering further opportunities for internal education and behavior change. Justin Kwong Director of Operations and Security 24 Hour Fitness Automate Tracking of Assets Having an accurate inventory is critical for effective asset management. To replace its annual physical inventory counts—a labor-intensive and error-prone process—24 Hour Fitness deployed Altiris Client Management Suite in June 2008. It has enabled the company to better track its computing hardware assets such as dumb terminals, laptops, and desktops—some 8,000 in all. The Altiris software is integrated with BMC Remedy, giving 24 Hour Fitness the ability to run reports by location, equipment type, and other parameters. Business Value Analysis © 2010 The Alchemy Solutions Group. All Rights Reserved Page 9 “Altiris Asset Management Suite has given us better visibility of software licenses across our enterprise. It has saved us quite a bit of money by avoiding overpurchasing and helps us ensure that we have the right software, up to date, for each of our desktop and laptop systems.” Scott Clement Manager of Systems Engineering 24 Hour Fitness “Altiris Client Management Suite is a key part of our environment, used to deploy standardized images to corporate and retail locations. It’s really allowed us to save time and ensure that we have consistency across all of our laptops and desktops.” Scott Clement Manager of Systems Engineering 24 Hour Fitness “We have a long history of using Symantec for antimalware, going back to the Norton AntiVirus days. Today Symantec Endpoint Protection is deployed on 4,000 PCs in our enterprise, providing malware and spyware protection. It’s really served to increase availability for our people who rely on those machines to do their jobs.” Justin Kwong Director of Operations and Security 24 Hour Fitness Business Value Analysis Page 10 With Altiris Client Management Suite, 24 Hour Fitness can run inventory reports any time they are needed, with almost no impact on the IT staff. Reports are more accurate and detailed, giving the company’s management a more effective tool for asset management and cost control. To maintain better control of software licensing, 24 Hour Fitness deployed Altiris Asset Management Suite at the same time. It matches 24 Hour Fitness’s usage information against purchased license counts, allowing the IT team to fully understand the company’s software needs and reduce the cost and risk associated with over- and underbuying. Automate Software Deployment To streamline the deployment of software, 24 Hour Fitness turned to the software distribution capability of Altiris Client Management Suite, a move that paid immediate dividends. For example, the company’s switch to biometrics requires the installation of software drivers for the biometric hardware at each of the company’s 425 clubs. Without an automated tool, this project would have been extremely expensive and time consuming, and might have even impacted the deployment schedule. The Altiris suite allowed 24 Hour Fitness to deploy biometrics quickly and efficiently, with minimal drain on scarce IT staff resources. 24 Hour Fitness is also using Altiris to deploy Symantec Endpoint Protection, and Ghost Solution Suite—now part of Altiris Client Management—to deploy images to dumb terminals across the enterprise. Upgrade Endpoint Security 24 Hour Fitness had relied on a heterogeneous mix of antivirus software to provide a basic level of protection, but needed both stronger protection and centralized management. In September 2008, 24 Hour Fitness upgraded its endpoint security by pushing out Symantec Endpoint Protection to all PCs in the company. The company’s security team recently saw firsthand the benefits of enhanced security protection. A number of Facebook messages to employees were infected with Trojans. The junk email filter identified them, but some employees, not wanting to miss messages from friends and family, overrode the filter. Symantec Endpoint Protection intercepted and quarantined the infected messages, preventing damage to the company’s data and infrastructure. Deploy Email Archiving Software By deploying Symantec Enterprise Vault, 24 Hour Fitness addressed an issue of importance to compliance: email retention. Enterprise Vault sweeps the company’s Microsoft Exchange Server database daily to identify messages that are older than the company’s 90-day limit and permanently deletes them. It also provides secure archiving for the email traffic of key executives. The advanced search capabilities of Enterprise Vault allow IT staff to quickly find and retrieve messages needed for compliance activities as well as for litigation. By pulling email off the Exchange environment, Enterprise Vault ensures that the company’s email system works well. © 2010 The Alchemy Solutions Group. All Rights Reserved Page 10 24 Hour Fitness Network Architecture Symantec Enterprise Vault provides secure archiving for the email traffic of key executives and electronic discovery requests. Symantec Endpoint Protection intercepts and quarantines infected email messages, preventing damage to the company’s data and infrastructure. Club Users All applications used at the clubs are web-based. All desktops are from Lenovo. Corporate Data Center IBM servers and NetApp storage. “Above Club”/Corporate Users All desktops and laptops are Lenovo. Altiris Client Management Suite and Asset Management Suite help 24 Hour Fitness track, maintain, and image its computing hardware and software assets. Symantec Data Loss Prevention inspects outbound network communications for confidential data and accurately identifies data security policy violations. Business Value Analysis © 2010 The Alchemy Solutions Group. All Rights Reserved Page 11 IT Evolution of 24 Hour Fitness March 2008 Deploy Symantec Data Loss Prevention. September 2008 Business Value Analysis Symantec software and professional services have paid off for 24 Hour Fitness. A Total Operational and Economic Impact (TOEI)™ analysis by The Alchemy Solutions Group quantified business value in the following areas: Sign Symantec Enterprise Options licensing agreement. June 2008 Deploy Altiris Asset Management Suite. June 2008 Deploy Altiris Client Management Suite. June 2008 Install Ghost Solution Suite (now part of Altiris Client Management Suite). • Asset reporting labor productivity gains and software license cost avoidance • Software package deployment labor productivity gains • Software image deployment labor productivity gains • PCI event labor productivity gains and PCI fine cost avoidance Throughout this section, The Alchemy Solutions Group used a full-time equivalent (FTE) IT salary of 69,570,2 average non-IT employee salary of $50,000,3 240 annual working days,4 and a 3.1 percent5 year-to-year salary adjustment for TOEI labor-related calculations. Asset Reporting Labor Productivity Gains and Cost Avoidance In the past, the IT team performed manual inventories of the physical assets such as desktops, laptops, and terminals, at all 425 sites, four times per year. Each inventory tied up five IT staffers for an entire 40-hour work week. The Altiris Client Management Suite eliminates the need for physical inventories by providing real-time, ondemand inventory reports, reducing IT staff time by 98 percent. The realized gains in IT labor productivity amounted to $15,355 and $27,139 for the first two years of use (2008 and 2009, respectively). Another $27,980 in projected savings in 2010 brings the three-year gain to $70,474. The application metering module of Altiris Asset Management Suite tracks software licenses across the enterprise. By locating and deploying existing licenses instead of buying new ones, 24 Hour Fitness avoids purchasing 30 software licenses a year, at an average cost of $220 per license, according to the company. In 2008, this cost avoidance amounted to $5,400, a figure that rose to $6,000 in 2009 and is projected to hit $6,600 in 2010. Total cost avoidance for software licenses over the three-year period is $18,000. Maintaining an accurate inventory of clubs and corporate locations was time consuming. Since June 2008, Altiris Client Management Suite has delivered a 98% improvement in the time required to complete the inventory assessment. Additionally, accurate inventory of all software licenses required has led to average annual savings of $6,000. Chart 2. IT Labor Productivity Gains and License Cost Avoidance Due to Asset Reporting Business Value Analysis Page 12 © 2010 The Alchemy Solutions Group. All Rights Reserved Software Package Deployment Labor Productivity Gains 24 Hour Fitness has about 4,000 personal computers deployed throughout clubs located in 16 states. On average, the IT team must update PC software nine times a year, ranging from simple version upgrades to complete installations of complex packages. This task used to take 45 minutes per PC per upgrade. Altiris Client Management Suite has streamlined software distribution, reducing the upgrade time to just 15 minutes per PC per update. Thanks to this increased efficiency, 24 Hour Fitness realized $316,075 in IT labor productivity gains in 2008, followed by even greater gains of $620,712 in 2009. With a projected gain of $639,954 in 2010, the total three-year benefit in IT productivity will be $1,576,740. Faster software deployment also reduces the time that end-user machines are unavailable to employees, adding to employee productivity. In the past, each employee would lose about 15 minutes while the software was being updated, nine times a year. With Altiris Client Management Suite, the updates are performed during off hours, completely eliminating the drain on employee productivity. The tangible gains in 2008 and 2009 were $130,114 and $229,968, respectively, with projected gains in 2010 of $237,097. The three-year employee productivity gains due to software package deployment total $597,178. The time required to deploy software has been significantly reduced with Altiris. Deploying new or updated software packages now has little impact on end-user productivity and takes 55% less IT staff time. Chart 3. IT and Employee Labor Productivity Gains Due to Software Package Deployment Software Image Deployment Labor Productivity Gains 24 Hour Fitness clubs use dumb terminals that must be periodically updated with new software images. In the past, these updates were performed manually, requiring two hours for each of the company’s 2,500 terminals. With Ghost Solution Suite—now part of Altiris Client Management Suite—24 Hour Fitness has slashed that figure to just 30 minutes per terminal, dramatically reducing the cost of image deployment. The IT productivity gains in the first two years of use—2008 and 2009—totaled $162,590 and $287,366, respectively. The projected 2010 savings of $325,902 result in a three-year total IT productivity gain of $775,859. Business Value Analysis © 2010 The Alchemy Solutions Group. All Rights Reserved Page 13 The IT team deploys images to the fitness club terminals two times a year. In the past, this operation took two hours per image deployment, a substantial drain on IT time. With Altiris, that figure has been reduced to 30 minutes per deployment, saving more than 8,000 hours of IT staff time annually. Chart 4. IT Labor Productivity Gains Due to Software Image Deployment PCI Compliance Labor Productivity Gains and Cost Avoidance 24 Hour Fitness faces the possibility of substantial PCI fines and other adverse consequences if a data breach compromises the security of the company’s customer information. Symantec Data Loss Prevention (DLP) has dramatically reduced the risk of incurring those fines.6 Our analysis indicates that the fines avoided in 2008 and 2009 add up to $725,000 and $900,000, respectively. Assuming that 2010 savings are equal to those of 2009, the three-year cost avoidance amounts to $2,525,000. When a potential incident is identified, it takes about two hours of IT staff time to determine if further action is needed. In the past, 10 percent of incidents—500 per month on average—required investigation, a substantial drain on IT staff productivity. With Symantec Data Loss Prevention, 24 Hour Fitness is now more efficient in choosing which potential events require investigation and follow up. On average, only 10 percent of incidents—just 50 per month—now require investigation. These efficiencies delivered gains in IT productivity equal to $30,102 and $29,484 in 2008 and 2009, respectively. The projected savings in 2010 are $28,878, leading to a threeyear gain in IT productivity of $88,464. Business Value Analysis Page 14 © 2010 The Alchemy Solutions Group. All Rights Reserved The self-policing performed by Symantec Data Loss Prevention automates scanning, detection, response, and remediation and completely eliminates the time required to manage high-risk incidents. 24 Hour Fitness has achieved 100% PCI compliance, resulting in significant cost avoidance and IT efficiencies. Chart 5. Fine Avoidance Cost Savings and IT Labor Productivity Gains Due to DLP Events Conclusion A Total Operational and Economic Impact (TOEI)™ analysis by The Alchemy Solutions Group found that Symantec software has produced tangible business value for 24 Hour Fitness. Actual and projected savings totaling $5.4 million from March 2008 through December 2010 were found in the following areas: • Asset Reporting Labor Productivity Gains and Cost Avoidance: $88,474 in labor productivity gains and cost savings by avoiding unnecessary software license purchases • Software Package Deployment Labor Productivity Gains: $2,173,919 in labor productivity gains due to increased efficiency of deploying software packages • Software Image Deployment Labor Productivity Gains: $775,859 in labor productivity gains due to increased efficiency of deploying images to fitness club terminals • Payment Card Industry (PCI) Compliance Labor Productivity Gains and Cost Avoidance: $2,613,464 in IT staff productivity gains and cost savings by avoiding PCI fines Notes 1. The Ponemon Institute, 2009 Annual Study: Cost of a Data Breach. 2. Bureau of Labor Statistics, May 2008 National Occupational Employment and Wage Estimates, United States. http://www.bls.gov/oes/2008/may/oes_nat.htm#b15-0000, see listing for Network and Computer Systems Administrators. 3. 24 Hour Fitness management estimate. 4. Schumann, R., “Work Schedules in the National Compensation Survey,” Bureau of Labor Statistics, July 28, 2008. http://www.bls.gov/opub/cwc/cm20080722ar01p1.htm. 5. Bureau of Labor Statistics,Year-to-Year Historical Salary Comparison, October 2007. http://www.bls.gov/cpi/home.htm. 6. Sources for PCI fine amounts: • Visa International Operating Regulations,Volume I—General Rules, November 15, 2008, page 35 • MasterCard Rules, June 3, 2009, Section 3–2 • American Express Data Security Operating Policy for U.S. Merchants, April 2009. Business Value Analysis © 2010 The Alchemy Solutions Group. All Rights Reserved Page 15 The Alchemy Solutions Group www.alchemygroupinc.com The Alchemy Solutions Group is a global management consulting and marketing research firm providing program level support to senior IT, sales, marketing, and customer relationship professionals in Fortune 1000 companies. Alchemy conducts market research and analyses to help clients assess the economic impact of leading technology solutions in the global IT supply chain. The Total Operational and Economic Impact (TOEI)™ Research Practice delivers public and private research and publishing services. This research confirms the positive or potentially negative economic impact of products and services in post-implementation environments. Alchemy’s Business Value Analysis (BVA)™ is one of the public communication mediums available for this research. Alchemy leverages deep industry expertise and formal research best practices to help business leaders better understand their economic contributions in the business-to-business marketplace. Alchemy’s clients leverage TOEI research to provide economically driven go-to-market strategies and support integrated sales and marketing best practices. Stanley King — President and CEO [email protected] King is responsible for establishing strategic relationships with executives who are committed to understanding the economic impact of products and services in the global IT supply chain. King’s international sales and marketing experience and ongoing research efforts provide industry executives with the candid insight required to enable effective customer life cycle management. The repurposing of TOEI research has proven valuable to IT procurement, product development, strategic and product marketing, enterprise sales, and long-term customer support. Prior to founding The Alchemy Solutions Group, King served in the software industry for 19 years, specializing in mergers and acquisitions, executive management, and field operations. NO WARRANTY. The information contained herein is provided AS-IS, and is subject to change without notice. The only warranties for products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Any use or reliance on the information contained herein is at the risk of the user. Neither The Alchemy Solutions Group nor Symantec shall be liable for technical or editorial errors or omissions contained herein. Business Value Analysis, BVA, Total Operational and Economic Impact, and TOEI are trademarks of The Alchemy Solutions Group, Inc. Business Value Analysis © 2010 The Alchemy Solutions Group. All Rights Reserved Greg Malacane, Director, Research & Publishing [email protected] Symantec Document 20836025 Page 16