Data Loss Prevention, Endpoint Security, Endpoint

Transcription

Data Loss Prevention, Endpoint Security, Endpoint
Business Value Analysis Study
TM
Data Loss Prevention, Endpoint Security,
Endpoint Management, and
IT Service Management
Underwritten by
Research and Analysis
Conducted by
Contents
Executive Summary
4
Overview
Barriers
The Solution
Benefits 4
4
4
4
Provide Great Customer Experience
Minimize Operating Costs
Consolidate Vendor Base
Reduce Complexity
Secure the Corporate Infrastructure
Protect Sensitive Customer Information
Chart 1. Average Estimated Cost of Data Breach per Customer Record Comply with Regulations
5
5
6
6
6
6
6
7
Protect Sensitive Data in Motion
Centralize and Standardize IT Operations
Identify and Track IT Assets
Deploy State-of-the-Art Security
Streamline Deployment of Software Enforce Email Retention Policy
7
7
8
8
8
8
Action Plan and Decision Process
Implementation Approach and Timetable
Deploy Data Loss Prevention Software Automate Tracking of Assets
Automate Software Deployment Upgrade Endpoint Security Deploy Email Archiving Software
24 Hour Fitness Network Architecture
IT Evolution of 24 Hour Fitness
9
9
9
9
10
10
10
11
12
Asset Reporting Labor Productivity Gains and Cost Avoidance
Chart 2. IT Labor Productivity Gains and License Cost Avoidance Due to Asset Reporting
Software Package Deployment Labor Productivity Gains
Chart 3. IT and Employee Labor Productivity Gains Due to Software Package Deployment
Software Image Deployment Labor Productivity Gains
Chart 4. IT Labor Productivity Gains Due to Software Image Deployment
PCI Compliance Labor Productivity Gains and Cost Avoidance Chart 5. Fine Avoidance Cost Savings and IT Labor Productivity Gains Due to DLP Events
12
12
13
13
13
14
14
15
About 24 Hour Fitness
Business Drivers
5
5
Technology Challenges
IT Transformation
9
Business Value Analysis
12
Conclusion
Notes
Business Value Analysis
7
© 2010
15
15
The Alchemy Solutions Group. All Rights Reserved
Greg Malacane, Director, Research & Publishing
[email protected]
Page 3
Executive Summary
Overview
24 Hour Fitness is an industry pioneer widely credited with introducing key innovations to the health club
market. The clubs were the first to stay open 24 hours a day and to spearhead the concept of month-tomonth gym memberships. The original club in the chain opened in 1983 in San Leandro, California. The firm
grew steadily and, in 1996, Family Fitness and 24 Hour Nautilus merged to form 24 Hour Fitness. In 2005,
the now global company was sold to New York-based private equity firm Forstmann Little & Co. for $1.6
billion. Carl C. Liebert III joined the company as chief executive officer in October 2006. 24 Hour Fitness
is headquartered in San Ramon, California, with its primary data center located in Carlsbad, California. Barriers
The information technology (IT) staff at 24 Hour Fitness faced a number of technology challenges. First
and foremost, the customer experience at the club level depended on the responsiveness and availability
of the IT infrastructure. The company had to protect against disclosure of sensitive credit card and
personal information that could subject the company to regulatory fines and brand damage. 24 Hour
Fitness lacked a comprehensive and cost-effective method of tracking and deploying IT assets, including
software licenses. The Solution
In response to these technology challenges, 24 Hour Fitness moved aggressively to transform its IT
infrastructure. To make this happen, the IT team deployed a number of Symantec software products,
including Altiris Client Management Suite to identify and track assets and speed the deployment of
software programs and images; Altiris Asset Management Suite to monitor software licensing and avoid
unnecessary purchases; Symantec Endpoint Protection to secure the corporate infrastructure from
malware and other attacks; and Symantec Data Loss Prevention to protect against accidental or malicious
release of sensitive customer information.
Benefits
A Total Operational and Economic Impact (TOEI)™ analysis by The Alchemy Solutions Group found
that Symantec software has produced tangible business value for 24 Hour Fitness. Actual and projected
savings totaling $5.4 million from March 2008 through December 2010 were found in the following areas:
• Asset Reporting Labor Productivity Gains and Cost Avoidance: $88,474 in labor productivity gains and cost savings by avoiding unnecessary software license purchases
• Software Package Deployment Labor Productivity Gains: $2,173,919 in labor
productivity gains due to increased efficiency of deploying software packages
• Software Image Deployment Labor Productivity Gains: $775,859 in labor productivity gains due to increased efficiency of deploying images to fitness club terminals
• Payment Card Industry (PCI) Compliance Labor Productivity Gains and
Cost Avoidance: $2,613,464 in IT staff productivity gains and cost savings by avoiding
PCI fines
Business Value Analysis
Page 4
© 2010
The Alchemy Solutions Group. All Rights Reserved
About 24 Hour Fitness
Fitness is big business in the United States, and no one is bigger than 24 Hour Fitness. In just over
a quarter-century of operation, the company boasts more than three million members—the largest
membership of any fitness club chain. 24 Hour Fitness operates more than
425 clubs in 16 states, and is expanding into Asia with 25 clubs under the
“What is the 24 Hour Fitness value
California Fitness brand. proposition? We offer great value at a lower
price in the industry for the amenities that we
provide. We care about families—on-site child
care is available at most of our clubs. And 24
Hour Fitness is convenient—there’s probably a
club close to your work or home.”
Tim Segneri
Vice President, Operations and
Technology Management
24 Hour Fitness
Fact File: 24 Hour Fitness
Founded – 1983 in San Leandro, California
Headquarters – San Ramon, California
Ownership – Privately owned by Forstmann
Little & Co
Industry – Fitness and health
Market – North America
Full-time Employees – 20,000
Website – www.24HourFitness.com
As noted above, 24 Hour Fitness led the industry by letting members work
out at any time, day or night, and avoid having to sign long-term contracts. In 2008, 24 Hour Fitness expanded into New York City by partnering with
Yankees’ all-star Derek Jeter to open clubs in Manhattan. Jeter joins a list of
superstar athletes and celebrities, including Lance Armstrong, Shaquille O’Neal,
Andre Agassi, Magic Johnson, Jackie Chan, and Yao Ming who are helping to
open co-branded 24 Hour Fitness clubs around the world. 24 Hour Fitness
also partnered with NBC’s popular reality TV show, “The Biggest Loser,” for
the last five seasons.
Bill Donohue, 24 Hour Fitness’s chief information officer (CIO), joined the
company in February 1999 as director of operations. A 20-year veteran of the
U.S. Marine Corps, he oversees a 120-person IT staff that is responsible for
application development, business systems engineering, data center operations,
network operations, security, and service desks. One of Donohue’s main lieutenants is Tim Segneri. Also a Marine Corps vet,
he came to 24 Hour Fitness in 2001 from Computer Science Corporation. Segneri rose through the ranks to his current position as vice president
of operations and technology management. He has direct operational
responsibility for the 24 Hour Fitness IT operations and is a key decision
maker for new purchases.
Business Drivers
24 Hour Fitness has staked out a position as a top operator of fitness clubs and aims to build on that
success. This involves aligning every functional group in the corporate structure—IT included—to a series
of overriding objectives. Provide Great Customer Experience
In the fitness market, success begins with the customer experience—starting from when a customer
walks in the door. For prospective members, the club staff must provide timely and accurate pricing and
service information, and enroll new members efficiently and quickly. For current members, the checkin process must be fast and easy, billing must be accurate and transparent, and the process for service
changes must be smooth. All of these operations ultimately depend on the availability and responsiveness
of the organization’s IT infrastructure. Minimize Operating Costs
To succeed in a highly competitive marketplace, 24 Hour Fitness must tightly manage its cost structure. As
such, IT must limit its spending to 2 percent of corporate revenues. The IT team organization beats this
target by keeping permanent IT staff levels lean and using targeted outsourcing engagements for specific,
well-defined tasks. Minimizing training costs and managing vendor relationships are additional vital elements
in ensuring that the IT staff is contributing to a healthy competitive profile and bottom-line results. Business Value Analysis
© 2010
The Alchemy Solutions Group. All Rights Reserved
Page 5
Consolidate Vendor Base
Having too many vendors can negatively impact both cost and operational complexity in areas such as
purchasing, training, and interoperability. 24 Hour Fitness has chosen to build strong working relationships
with strategic vendors, including IBM for servers; NetApp for storage; and Symantec for security,
compliance, and endpoint management. While this approach reduces expenses and complications, it
does raise the possibility of “price creep” for key infrastructure components. The challenge for 24 Hour Fitness is to enter into agreements with top-tier
“We continue to drive costs down by the
vendors that contain costs and do not require constant procurement cycles,
strategic way that we use our vendors. We
which can add to overhead. work very closely with a small set of vendors
who do a big chunk of work for us every year.
Reduce Complexity
They’ve become part and parcel of the whole
Providing IT services to more than 425 clubs and 20,000 employees across
operation.”
the United States is a daunting task for the 24 Hour Fitness IT team, which
must strive to keep the infrastructure as simple and as consistent as possible. Tim Segneri
Every major change to the IT system must be evaluated for the impact it will
Vice President, Operations and
have on the company’s operations. The 24 Hour Fitness IT team is obsessed
Technology Management
with finding ways to standardize and consolidate operations to drive additional
24 Hour Fitness
time and cost savings. “Our stored data is not only a valuable asset to
our business, but also a potentially ripe target
for someone who wanted to do us harm or
to profit from the theft of that data. So data
protection is absolutely job one.”
Tim Segneri
Vice President, Operations and
Technology Management
24 Hour Fitness
Secure the Corporate Infrastructure
With more than 4,000 personal computers in its architecture, 24 Hour Fitness
must be dedicated to endpoint security. The risks of a malware outbreak
that could disrupt club operations or of a targeted hacker attack aimed at
shutting down the entire data center are ever present. With its geographically
dispersed operations—all connected to headquarters—there is no room for
error: a breach at any location could affect the entire company. Protect Sensitive Customer Information
The 24 Hour Fitness brand is widely recognized, admired, and trusted—and
constitutes a valuable corporate asset. That asset could suffer significant
damage if sensitive customer information is leaked and publicized. All of 24 Hour Fitness’s three million
members depend on the firm to secure contact information, credit card numbers, bank accounts, and
other personal information. Protecting the company’s data is a top priority for the IT staff. (Chart 1
shows the average cost per customer record if a data breach occurs.1)
Chart 1. Average Estimated Cost of Data Breach per Customer Record
Business Value Analysis
Page 6
© 2010
The Alchemy Solutions Group. All Rights Reserved
Comply with Regulations
Much of 24 Hour Fitness’s revenue is realized through credit card transactions, subjecting it to the
Payment Card Industry Data Security Standard, commonly known as PCI. Noncompliance with PCI
exposes the company to fines or even the loss of the ability to process credit card payments, an
unthinkable risk for 24 Hour Fitness. And if you work with a personal trainer at 24 Hour Fitness, your weight and body measurements are
in the database, which means the company is also subject to the provisions of the Health Insurance
Portability and Accountability Act (HIPAA). As a privately held company, 24 Hour Fitness is not compelled to meet Sarbanes–Oxley (SOX) Act
standards, which is an expensive and time-consuming requirement for publicly held companies. However,
the corporation’s board of directors has charged the IT group to work toward SOX compliance,
considering it a best practice for corporate governance. Technology Challenges
The 24 Hour Fitness IT team assessed the key technology challenges facing them in light of the business
imperatives of the corporation. These involved protecting sensitive information, streamlining a number of IT
operations, managing compliance, and facilitating every employee’s ability to offer superior customer service. Protect Sensitive Data in Motion
With a centralized architecture, 24 Hour Fitness has a good understanding of where its most sensitive
data—for example, card credit information—is stored. However, when that data is in motion, protecting
it becomes much more difficult. For example, even well-meaning employees can jeopardize security by
inadvertently sending sensitive information by email.
Some organizations resort to end-to-end encryption to guarantee full protection, but that can be an
expensive fix as well as a performance inhibitor. To defend against loss of customer information and ensure
PCI compliance, 24 Hour Fitness needed a solution that would alert the security team whenever sensitive
information was included in an outgoing email. The team could then take preventive action as well as
educate the offending employees to avert further lapses in protecting the company’s vital information. Centralize and Standardize IT Operations
Placing a premium on cost control and complexity reduction, 24 Hour Fitness decided more than 12 years
ago to implement a data center-centric architecture. Individual clubs are outfitted with dumb terminals
and all applications are accessed through a Web browser. Applications, data, and computing resources
are located in the corporate data center in Carlsbad, California. Furthermore, 24 Hour Fitness maintains
a highly professional help desk operation, including its own repair capabilities and parts warehouse. IT
personnel are located in Carlsbad and at corporate headquarters in San Ramon, California. Centralization is not without challenges of its own. The network becomes critical to the company’s
operations, requiring careful bandwidth management. With no IT staff at club locations, all local software
upgrades and patches must be performed remotely, a potential bandwidth and management nightmare. Even though the company’s data is stored centrally and securely in Carlsbad, the data itself is still in
motion throughout the corporate network, creating possible security risks. Business Value Analysis
© 2010
The Alchemy Solutions Group. All Rights Reserved
Page 7
Identify and Track IT Assets
Maintaining an accurate and complete inventory of corporate IT assets, from terminals to software
licenses, is central to effective cost containment. To address the hardware side, 24 Hour Fitness
performed a yearly physical inventory. This annual exercise was expensive and lacked the level of accuracy
required by corporate management. 24 Hour Fitness needed a better, more automated method of
tracking hardware assets.
Because the individual clubs access applications through a Web browser, the number of software licenses
in the field is relatively small. Staff in corporate headquarters and regional offices—what 24 Hour
Fitness calls “above-club” personnel—is another story. These 2,500 employees use desktop and laptop
computers, and those computers require individual licenses for applications such as Adobe Acrobat,
Microsoft Office, and Microsoft Visio. The corporate IT team suspected that they were overbuying
licenses—purchasing new ones only because existing unused licenses were impossible to locate and
deploy. The 24 Hour Fitness IT team estimated losing thousands of dollars annually and was determined
to eliminate this unnecessary cost. Deploy State-of-the-Art Security
At the club level, 24 Hour Fitness is looking to biometrics as a way to streamline the member check-in
process, reduce the cost of printing cards, and prevent fraudulent membership sharing. The company is
running a pilot program using the member’s fingerprint as a unique identifier. The early response has been
overwhelmingly positive.
Most club employees access IT services using a locked-down dumb terminal, effectively limiting the
security risks. However, club managers and employees at regional offices and company headquarters have
general-purpose personal computers that could be points of entry for malware—Trojans, viruses, worms,
and spyware. Securing these endpoints became a high priority for 24 Hour
Fitness to ensure compliance and protect valuable data. “Using Altiris Client Management Suite has
allowed us to reinvent the architecture of our
retail locations. We can react quicker to our
customers and stretch our limited IT resources
to manage a larger number of endpoints.”
Scott Clement
Manager of Systems Engineering
24 Hour Fitness
Streamline Deployment of Software
To maintain a high level of productivity, 24 Hour Fitness periodically updates
the software on the 2,500 laptops and desktops used by above-club personnel. But installing new or updated software components on so many machines in
multiple locations is an IT headache. For example, manually rolling out the new
version of Microsoft Word to 2,500 PCs would be a major project, consuming
thousands of hours of IT staff time. 24 Hour Fitness needed to automate this
task both to save IT costs and to increase end-user productivity. Enforce Email Retention Policy
Most of 24 Hour Fitness’s 20,000 employees do not have email accounts. However, the company still
maintains 4,000 accounts for club managers and department heads as well as for staff at regional and
central headquarters. As a general policy, 24 Hour Fitness has adopted a strict 90-day retention limit for
email messages. However, regulatory compliance and legal actions require that some emails be retained essentially
indefinitely. The 24 Hour Fitness legal staff identified a core number of around 130 executives whose emails
need to be archived. The corporate IT team must ensure that this requirement is carried out in a way that is
secure and reliable to protect the company from regulatory fines and adverse judgments in lawsuits. Business Value Analysis
Page 8
© 2010
The Alchemy Solutions Group. All Rights Reserved
IT Transformation
Action Plan and Decision Process
In 2007, 24 Hour Fitness already was using Symantec AntiVirus and Symantec NetBackup. As part of its
vendor consolidation initiative, 24 Hour Fitness discussed with Symantec ways to solidify their relationship
and work more strategically. In early 2008, 24 Hour Fitness entered into a Symantec Licensing Program called Symantec Enterprise
Options. This program provides preferential, predictable pricing; license tracking; and renewal
management for major Symantec software, including the following components:
•
•
•
•
•
•
Altiris Client Management Suite
Altiris Asset Management Suite
Symantec Endpoint Protection
Symantec Data Loss Prevention
Symantec Enterprise Vault
Other Symantec data protection and storage management software
Symantec Enterprise Options also provided 24 Hour Fitness with access to a menu of needed services,
such as Symantec consulting, education, and essential support capabilities.
Implementation Approach and Timetable
With the Symantec Enterprise Options agreement in place, 24 Hour Fitness launched a series of upgrades
to address the key technology challenges described earlier by implementing solutions using Symantec
software products. “By implementing Symantec Data Loss
Prevention, we’ve found immediate benefits
in identifying users who need training about
our security policies. In just over a year, we’ve
significantly reduced violations.”
Deploy Data Loss Prevention Software
In March 2008, 24 Hour Fitness moved to get control of its data in motion by
deploying Symantec Data Loss Prevention. The product’s Network Monitor
inspects outbound network communications for confidential data and
accurately identifies data security policy violations. Symantec Data Loss Prevention creates a series of reports that identify
incidents by department and information type; for example, check routing
numbers, credit card numbers, and membership pricing plans. These detailed
reports enable the 24 Hour Fitness security staff to qualify and quantify the
risk of data loss and take remedial action before the corporation sustains
significant damage. In addition, the security team became aware of several more internal groups that were
accepting credit cards, offering further opportunities for internal education and behavior change. Justin Kwong
Director of Operations and Security
24 Hour Fitness
Automate Tracking of Assets
Having an accurate inventory is critical for effective asset management. To replace its annual physical
inventory counts—a labor-intensive and error-prone process—24 Hour Fitness deployed Altiris Client
Management Suite in June 2008. It has enabled the company to better track its computing hardware
assets such as dumb terminals, laptops, and desktops—some 8,000 in all. The Altiris software is integrated
with BMC Remedy, giving 24 Hour Fitness the ability to run reports by location, equipment type, and
other parameters. Business Value Analysis
© 2010
The Alchemy Solutions Group. All Rights Reserved
Page 9
“Altiris Asset Management Suite has given us
better visibility of software licenses across our
enterprise. It has saved us quite a bit of money
by avoiding overpurchasing and helps us ensure
that we have the right software, up to date, for
each of our desktop and laptop systems.”
Scott Clement
Manager of Systems Engineering
24 Hour Fitness
“Altiris Client Management Suite is a key
part of our environment, used to deploy
standardized images to corporate and retail
locations. It’s really allowed us to save time
and ensure that we have consistency across all
of our laptops and desktops.”
Scott Clement
Manager of Systems Engineering
24 Hour Fitness
“We have a long history of using Symantec
for antimalware, going back to the Norton
AntiVirus days. Today Symantec Endpoint
Protection is deployed on 4,000 PCs in our
enterprise, providing malware and spyware
protection. It’s really served to increase
availability for our people who rely on those
machines to do their jobs.”
Justin Kwong
Director of Operations and Security
24 Hour Fitness
Business Value Analysis
Page 10
With Altiris Client Management Suite, 24 Hour Fitness can run inventory
reports any time they are needed, with almost no impact on the IT staff. Reports are more accurate and detailed, giving the company’s management a
more effective tool for asset management and cost control. To maintain better control of software licensing, 24 Hour Fitness deployed
Altiris Asset Management Suite at the same time. It matches 24 Hour Fitness’s
usage information against purchased license counts, allowing the IT team to
fully understand the company’s software needs and reduce the cost and risk
associated with over- and underbuying.
Automate Software Deployment
To streamline the deployment of software, 24 Hour Fitness turned to the
software distribution capability of Altiris Client Management Suite, a move that
paid immediate dividends. For example, the company’s switch to biometrics
requires the installation of software drivers for the biometric hardware at each
of the company’s 425 clubs. Without an automated tool, this project would
have been extremely expensive and time consuming, and might have even
impacted the deployment schedule. The Altiris suite allowed 24 Hour Fitness
to deploy biometrics quickly and efficiently, with minimal drain on scarce
IT staff resources. 24 Hour Fitness is also using Altiris to deploy Symantec
Endpoint Protection, and Ghost Solution Suite—now part of Altiris Client
Management—to deploy images to dumb terminals across the enterprise. Upgrade Endpoint Security
24 Hour Fitness had relied on a heterogeneous mix of antivirus software to
provide a basic level of protection, but needed both stronger protection and
centralized management. In September 2008, 24 Hour Fitness upgraded its
endpoint security by pushing out Symantec Endpoint Protection to all PCs
in the company. The company’s security team recently saw firsthand the
benefits of enhanced security protection. A number of Facebook messages
to employees were infected with Trojans. The junk email filter identified
them, but some employees, not wanting to miss messages from friends and
family, overrode the filter. Symantec Endpoint Protection intercepted and
quarantined the infected messages, preventing damage to the company’s data
and infrastructure. Deploy Email Archiving Software
By deploying Symantec Enterprise Vault, 24 Hour Fitness addressed an issue
of importance to compliance: email retention. Enterprise Vault sweeps the
company’s Microsoft Exchange Server database daily to identify messages that
are older than the company’s 90-day limit and permanently deletes them. It
also provides secure archiving for the email traffic of key executives. The
advanced search capabilities of Enterprise Vault allow IT staff to quickly find
and retrieve messages needed for compliance activities as well as for litigation. By pulling email off the Exchange environment, Enterprise Vault ensures that
the company’s email system works well. © 2010
The Alchemy Solutions Group. All Rights Reserved
Page 10
24 Hour Fitness Network Architecture
Symantec Enterprise Vault provides
secure archiving for the email
traffic of key executives and
electronic discovery requests.
Symantec Endpoint
Protection intercepts and
quarantines infected email
messages, preventing
damage to the company’s
data and infrastructure.
Club Users
All applications used at the
clubs are web-based.
All desktops are from Lenovo.
Corporate Data Center
IBM servers and NetApp storage.
“Above Club”/Corporate Users
All desktops and laptops are Lenovo.
Altiris Client Management Suite
and Asset Management Suite
help 24 Hour Fitness track,
maintain, and image its
computing hardware and
software assets.
Symantec Data Loss Prevention
inspects outbound network
communications for confidential
data and accurately identifies
data security policy violations.
Business Value Analysis
© 2010
The Alchemy Solutions Group. All Rights Reserved
Page 11
IT Evolution of 24 Hour Fitness
March 2008
Deploy Symantec Data Loss Prevention.
September 2008
Business Value Analysis
Symantec software and professional services have paid off for 24 Hour Fitness. A Total Operational and Economic Impact (TOEI)™ analysis by The Alchemy
Solutions Group quantified business value in the following areas:
Sign Symantec Enterprise Options licensing agreement.
June 2008
Deploy Altiris Asset Management Suite.
June 2008
Deploy Altiris Client Management Suite.
June 2008
Install Ghost Solution Suite (now part of Altiris Client
Management Suite).
• Asset reporting labor productivity gains and software license cost
avoidance
• Software package deployment labor productivity gains
• Software image deployment labor productivity gains
• PCI event labor productivity gains and PCI fine cost avoidance
Throughout this section, The Alchemy Solutions Group used a full-time equivalent
(FTE) IT salary of 69,570,2 average non-IT employee salary of $50,000,3 240 annual working days,4 and a 3.1
percent5 year-to-year salary adjustment for TOEI labor-related calculations. Asset Reporting Labor Productivity Gains and Cost Avoidance
In the past, the IT team performed manual inventories of the physical assets such as desktops, laptops, and
terminals, at all 425 sites, four times per year. Each inventory tied up five IT staffers for an entire 40-hour
work week. The Altiris Client Management Suite eliminates the need for physical inventories by providing real-time, ondemand inventory reports, reducing IT staff time by 98 percent. The realized gains in IT labor productivity
amounted to $15,355 and $27,139 for the first two years of use (2008 and 2009, respectively). Another
$27,980 in projected savings in 2010 brings the three-year gain to $70,474. The application metering module of Altiris Asset Management Suite tracks software licenses across the
enterprise. By locating and deploying existing licenses instead of buying new ones, 24 Hour Fitness avoids
purchasing 30 software licenses a year, at an average cost of $220 per license, according to the company. In
2008, this cost avoidance amounted to $5,400, a figure that rose to $6,000 in 2009 and is projected to hit
$6,600 in 2010. Total cost avoidance for software licenses over the three-year period is $18,000. Maintaining an accurate inventory of
clubs and corporate locations was
time consuming. Since June 2008,
Altiris Client Management Suite
has delivered a 98% improvement
in the time required to complete the
inventory assessment. Additionally,
accurate inventory of all software
licenses required has led to average
annual savings of $6,000.
Chart 2. IT Labor Productivity Gains and License Cost Avoidance Due to Asset Reporting
Business Value Analysis
Page 12
© 2010
The Alchemy Solutions Group. All Rights Reserved
Software Package Deployment Labor Productivity Gains
24 Hour Fitness has about 4,000 personal computers deployed throughout clubs located in 16 states. On
average, the IT team must update PC software nine times a year, ranging from simple version upgrades to
complete installations of complex packages. This task used to take 45 minutes per PC per upgrade.
Altiris Client Management Suite has streamlined software distribution, reducing the upgrade time to just
15 minutes per PC per update. Thanks to this increased efficiency, 24 Hour Fitness realized $316,075 in
IT labor productivity gains in 2008, followed by even greater gains of $620,712 in 2009. With a projected
gain of $639,954 in 2010, the total three-year benefit in IT productivity will be $1,576,740.
Faster software deployment also reduces the time that end-user machines are unavailable to employees,
adding to employee productivity. In the past, each employee would lose about 15 minutes while the
software was being updated, nine times a year. With Altiris Client Management Suite, the updates are
performed during off hours, completely eliminating the drain on employee productivity. The tangible gains
in 2008 and 2009 were $130,114 and $229,968, respectively, with projected gains in 2010 of $237,097. The three-year employee productivity gains due to software package deployment total $597,178. The time required to deploy
software has been significantly
reduced with Altiris. Deploying
new or updated software packages
now has little impact on end-user
productivity and takes 55% less IT
staff time.
Chart 3. IT and Employee Labor Productivity Gains Due to Software Package Deployment
Software Image Deployment Labor Productivity Gains
24 Hour Fitness clubs use dumb terminals that must be periodically updated with new software images. In the past, these updates were performed manually, requiring two hours for each of the company’s
2,500 terminals. With Ghost Solution Suite—now part of Altiris Client Management Suite—24 Hour Fitness has slashed
that figure to just 30 minutes per terminal, dramatically reducing the cost of image deployment. The IT
productivity gains in the first two years of use—2008 and 2009—totaled $162,590 and $287,366, respectively. The projected 2010 savings of $325,902 result in a three-year total IT productivity gain of $775,859.
Business Value Analysis
© 2010
The Alchemy Solutions Group. All Rights Reserved
Page 13
The IT team deploys images to the
fitness club terminals two times a
year. In the past, this operation took
two hours per image deployment,
a substantial drain on IT time. With
Altiris, that figure has been reduced
to 30 minutes per deployment,
saving more than 8,000 hours of IT
staff time annually.
Chart 4. IT Labor Productivity Gains Due to Software Image Deployment
PCI Compliance Labor Productivity Gains and Cost Avoidance
24 Hour Fitness faces the possibility of substantial PCI fines and other adverse consequences if a
data breach compromises the security of the company’s customer information. Symantec Data Loss
Prevention (DLP) has dramatically reduced the risk of incurring those fines.6 Our analysis indicates that
the fines avoided in 2008 and 2009 add up to $725,000 and $900,000, respectively. Assuming that 2010
savings are equal to those of 2009, the three-year cost avoidance amounts to $2,525,000.
When a potential incident is identified, it takes about two hours of IT staff time to determine if further
action is needed. In the past, 10 percent of incidents—500 per month on average—required investigation,
a substantial drain on IT staff productivity. With Symantec Data Loss Prevention, 24 Hour Fitness is now more efficient in choosing which potential
events require investigation and follow up. On average, only 10 percent of incidents—just 50 per
month—now require investigation. These efficiencies delivered gains in IT productivity equal to $30,102
and $29,484 in 2008 and 2009, respectively. The projected savings in 2010 are $28,878, leading to a threeyear gain in IT productivity of $88,464. Business Value Analysis
Page 14
© 2010
The Alchemy Solutions Group. All Rights Reserved
The self-policing performed by
Symantec Data Loss Prevention
automates scanning, detection,
response, and remediation and
completely eliminates the time
required to manage high-risk
incidents. 24 Hour Fitness has
achieved 100% PCI compliance,
resulting in significant cost
avoidance and IT efficiencies.
Chart 5. Fine Avoidance Cost Savings and IT Labor Productivity Gains Due to DLP Events
Conclusion
A Total Operational and Economic Impact (TOEI)™ analysis by The Alchemy Solutions Group found
that Symantec software has produced tangible business value for 24 Hour Fitness. Actual and projected
savings totaling $5.4 million from March 2008 through December 2010 were found in the following areas:
• Asset Reporting Labor Productivity Gains and Cost Avoidance: $88,474 in
labor productivity gains and cost savings by avoiding unnecessary software license purchases
• Software Package Deployment Labor Productivity Gains: $2,173,919 in labor
productivity gains due to increased efficiency of deploying software packages
• Software Image Deployment Labor Productivity Gains: $775,859 in labor productivity gains due to increased efficiency of deploying images to fitness club terminals
• Payment Card Industry (PCI) Compliance Labor Productivity Gains and
Cost Avoidance: $2,613,464 in IT staff productivity gains and cost savings by avoiding
PCI fines
Notes
1. The Ponemon Institute, 2009 Annual Study: Cost of a Data Breach. 2. Bureau of Labor Statistics, May 2008 National Occupational Employment and Wage Estimates, United States. http://www.bls.gov/oes/2008/may/oes_nat.htm#b15-0000, see listing for Network and Computer Systems Administrators.
3. 24 Hour Fitness management estimate.
4. Schumann, R., “Work Schedules in the National Compensation Survey,” Bureau of Labor Statistics, July 28, 2008. http://www.bls.gov/opub/cwc/cm20080722ar01p1.htm.
5. Bureau of Labor Statistics,Year-to-Year Historical Salary Comparison, October 2007. http://www.bls.gov/cpi/home.htm.
6. Sources for PCI fine amounts:
• Visa International Operating Regulations,Volume I—General Rules, November 15, 2008, page 35
• MasterCard Rules, June 3, 2009, Section 3–2
• American Express Data Security Operating Policy for U.S. Merchants, April 2009.
Business Value Analysis
© 2010
The Alchemy Solutions Group. All Rights Reserved
Page 15
The Alchemy Solutions Group
www.alchemygroupinc.com
The Alchemy Solutions Group is a global management consulting and marketing research firm providing
program level support to senior IT, sales, marketing, and customer relationship professionals in Fortune
1000 companies. Alchemy conducts market research and analyses to help clients assess the economic
impact of leading technology solutions in the global IT supply chain.
The Total Operational and Economic Impact (TOEI)™ Research Practice delivers public and private
research and publishing services. This research confirms the positive or potentially negative economic
impact of products and services in post-implementation environments. Alchemy’s Business Value Analysis
(BVA)™ is one of the public communication mediums available for this research.
Alchemy leverages deep industry expertise and formal research best practices to help business leaders
better understand their economic contributions in the business-to-business marketplace. Alchemy’s
clients leverage TOEI research to provide economically driven go-to-market strategies and support
integrated sales and marketing best practices.
Stanley King — President and CEO
[email protected]
King is responsible for establishing strategic relationships with executives who are committed to
understanding the economic impact of products and services in the global IT supply chain. King’s
international sales and marketing experience and ongoing research efforts provide industry executives
with the candid insight required to enable effective customer life cycle management. The repurposing of TOEI research has proven valuable to IT procurement, product development,
strategic and product marketing, enterprise sales, and long-term customer support. Prior to founding The
Alchemy Solutions Group, King served in the software industry for 19 years, specializing in mergers and
acquisitions, executive management, and field operations. NO WARRANTY. The information contained herein is provided AS-IS, and is subject to change without notice. The only warranties for
products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should
be construed as constituting an additional warranty. Any use or reliance on the information contained herein is at the risk of the user.
Neither The Alchemy Solutions Group nor Symantec shall be liable for technical or editorial errors or omissions contained herein.
Business Value Analysis, BVA, Total Operational and Economic Impact, and TOEI are trademarks of The Alchemy Solutions Group, Inc.
Business Value Analysis
© 2010
The Alchemy Solutions Group. All Rights Reserved
Greg Malacane, Director, Research & Publishing
[email protected]
Symantec Document 20836025
Page 16