The Total Economic Impact™ Of The SecurityScorecard Platform

Cost Savings And Business Benefits Enabled By SecurityScorecard Platform Solutions

A Forrester Total Economic Impact™ Study Commissioned By SecurityScorecard, May 2024

Switch between the study data and your custom data below. Answering the questions on the 'Custom Data' tab will allow you to customize the analysis and estimate the potential impact of using a Total Economic Impact study.

Study Data Custom Data

Study Data

Annual revenue

Number of critical vendors onboarded annually

Time required to onboard a critical vendor (hours)

Fully burdened annual cost of a security engineer

Number of security engineer team members

Percent time dedicated to third-party risk management (not including onboarding)

Your Organization

What is the name of your organization?

Annual revenue

Number of critical vendors onboarded annually

Time required to onboard a critical vendor (hours)

Fully burdened annual cost of a security engineer

Number of security engineer team members

Percent time dedicated to third-party risk management (not including onboarding)

SecurityScorecard’s cyber risk platform offers a continuous attack surface and vendor monitoring and provides real-time data on third-party threats. Its comprehensive and automatic vendor detection, risk identification, and mitigation features enable enterprises to manage their online risk exposure within the critical third-party space holistically. Its strong API capabilities and automation also help organizations avoid costly breaches and achieve significant efficiencies.

SecurityScorecard offers enterprises a platform to monitor and manage digital third-party, supply chain, and attack surface vulnerabilities. SecurityScorecard provides comprehensive vendor security solutions that continuously monitor supply chain cyber risk activity and provide vendor security ratings — which saves organizations considerable internal resources in vendor onboarding and monitoring tasks while enabling security engineering teams to proactively address cyber irregularities with individual vendors before third-party threats impact their digital ecosystems. Its automated threat intelligence feature also identifies and assesses organizations’ third-party cyber vulnerabilities to the edge of their vendor networks and remediates these threats in real time, avoiding disruptive and impactful data breaches.

SecurityScorecard commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying its solutions.¹ The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of SecurityScorecard on their organizations.

Return on investment (ROI)

176%176%

Net present value (NPV)

$3.58M$3.58M

To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed four representatives with experience using SecurityScorecard. For the purposes of this study, Forrester aggregated the interviewees’ experiences and combined the results into a single composite organization which is a US-based Fortune 500 organization with $50 billion in annual revenue, has 100,000 employees, and there are 20 FTEs on its security engineering team. The composite organization subscribes to SecurityScorecard’s security questionnaires and ratings services and additional platform features such as third-party cyber risk management, vulnerability intelligence, and attack surface management.

has $0 in annual revenue and a security engineering team of 0 FTEs. Custom results are based on your inputs and the TEI case study.

Interviewees said that prior to using SecurityScorecard, their organizations relied on external security reports and employed manual vendor onboarding and monitoring processes to assess, address, and remediate cyber risk within their vendor networks. These methods proved time-consuming and ineffective as external reports were often outdated. The organizations lacked the internal resources to scale and manage their entire vendor networks, leaving them vulnerable to undetected digital supply chain threats.

After the investment in SecurityScorecard, the interviewees reported their ability to better monitor and manage a much wider group of IT vendors and respond to third-party threats in a timely manner. As SecurityScorecard’s platform improved security hygiene, the organizations identified threatening cyber-attack vectors and intercepted attacks such as credential theft, phishing, and ransomware, thereby improving overall IT security postures.

Estimate your ROI

Key Findings

Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:

Avoided security engineering hires for third-party risk management and monitoring. SecurityScorecard’s comprehensive and automated cyber risk platform helps the composite organization manage its security engineering needs effectively. The composite organization can thus handle the increased demands of expanding its vendor network monitoring and enhance its third-party security posture without the need for additional hires. This cost avoidance grows linearly as additional critical vendors are onboarded and is worth more than $3.8 million over three years.

For , this benefit could be worth over three years.

Strengthened third-party and supply chain security. SecurityScorecard’s ability to identify and mitigate its previously undetected digital supply chain vulnerabilities greatly reduces third-party risk exposure to network and surface attacks. Enhancing its cybersecurity practices in its vendor network allows the organization to prevent expensive data breaches, which often result in direct revenue loss and can cause significant downtime for employees with network access. Additionally, these breaches can lead to long-lasting reputational damage that affects both customer retention and acquisition. This improvement in third-party and supply chain security offers the composite organization a risk-adjusted benefit of $1.7 million over three years.

For , this benefit could be worth over three years.

Efficiencies in critical vendor onboarding. Onboarding new critical vendors in the composite organization’s legacy environment required significant security engineering resources to complete the necessary risk assessment tasks, which included time-consuming security research and extensive communication with individual vendors. SecurityScorecard’s comprehensive risk mitigation services, ratings, and automated features enabled the security engineering team to decrease the overall duration of critical vendor onboarding activities by 75%, leading to a three-year, risk-adjusted efficiency improvement worth $503,000 to the composite organization.

For , this benefit could be worth over three years.

Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:

Enhanced reporting capabilities. SecurityScorecard's enhanced reporting capabilities empower C-level leadership and the board of directors to make strategic business decisions by providing comprehensive assessments of the composite organization's third-party cybersecurity vulnerabilities. SecurityScorecard's reporting features enable the organization to analyze security trends, incorporate historical data, and prioritize actions to protect sensitive information and credentials. This allows the organization to align its third-party cybersecurity processes with overall business objectives, ensuring a robust and strategic approach to cybersecurity.

Improved regulatory and compliance posture. With its easy-to-use platform, SecurityScorecard facilitates communication and transparency, which assists the composite organization in meeting compliance requirements and regulatory obligations. The organization’s ability to provide evidence of security controls and practices demonstrates adherence to third-party security standards and regulations that are industry specific, ensuring compliance and avoiding potential legal fines and reputational damages.
Improved employee experience (EX) and team culture. SecurityScorecard’s automated third-party cyber risk mitigation services and features gives the security engineering team greater visibility into the organization’s existing and past vendor network vulnerabilities — enabling them to proactively mitigate third-party and supply chain risks that were previously unaddressed. The platform fosters a culture of consistent and data-driven decision-making through collaboration, empowering team members to focus on high-value tasks. This results in an overall improved security culture within the organization.

Costs. Three-year, risk-adjusted PV costs for the composite organization include:

Fees to SecurityScorecard. The annual license cost and fees to monitor and manage critical vendors, including the Attack Surface Intelligence (ASI) feature, total $1.5 million over three years.

For , this cost could be over three years.

Initial and ongoing costs. Initial costs for the composite organization include initial training and the allocation of internal resources to evaluate, test, and deploy the SecurityScorecard platform features. Ongoing costs include time dedicated to ongoing training and managing the platform and relationship with SecurityScorecard. The composite’s initial and ongoing costs required for the adoption of SecurityScorecard total $690,000 over three years.

For , this cost could be over three years.

The representative interviews and financial analysis found that a composite organization experiences benefits of $6 million over three years versus costs of $2.2 million, adding up to a net present value (NPV) of $3.9 million and an ROI of 176%.

could experience benefits of over three years versus costs of , adding up to an NPV of and an ROI of 0%.

Reduced risk of breaches from external third-party attacks with SecurityScorecard

75%

“We’re now identifying the greatest risks in our external infrastructure, the stuff that any hacker with one day of experience can figure out. Honestly, the ability to have all this third-party risk information aggregated and presented in a usable way for both us and the supplier is a game-changer.”

Senior director of information protection, insurance

Key Statistics

Return on investment (ROI)

176%176%

Benefits PV

$6.03M$6.03M

Net present value (NPV)

$3.85M$3.85M

Payback

6 months6 months

Benefits (Three-Year)

Avoided security engineer hires for third-party risk management and monitoring Strengthened third-party and supply chain security Efficiencies in critical vendor onboarding

TEI Framework And Methodology

From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in SecurityScorecard’s platform and solutions.

The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that SecurityScorecard can have on an organization.

Due Diligence

Interviewed SecurityScorecard stakeholders and Forrester analysts to gather data relative to the SecurityScorecard platform.
Interviews

Interviewed four representatives at organizations using the SecurityScorecard platform to obtain data about costs, benefits, and risks.
Composite Organization

Designed a composite organization based on characteristics of the interviewees’ organizations.
Financial Model Framework

Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Case Study

Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.

Disclosures

Readers should be aware of the following:

This study is commissioned by SecurityScorecard and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.

Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in SecurityScorecard. For the interactive functionality using Configure Data/Custom Data, the intent is for the questions to solicit inputs specific to a prospect's business. Forrester believes that this analysis is representative of what companies may achieve with SecurityScorecard based on the inputs provided and any assumptions made. Forrester does not endorse SecurityScorecard or its offerings. Although great care has been taken to ensure the accuracy and completeness of this model, SecurityScorecard and Forrester Research are unable to accept any legal responsibility for any actions taken on the basis of the information contained herein. The interactive tool is provided ‘AS IS,’ and Forrester and SecurityScorecard make no warranties of any kind.

SecurityScorecard reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.

SecurityScorecard provided the customer names for the interviews but did not participate in the interviews.

Consulting Team:

Rachel Ballard

Drivers leading to the SecurityScorecard investment

Interviews

Role	Industry	Region	Employees
Supply chain risk manager	Energy	Headquartered in Europe with global operations	93,000
Senior manager of cybersecurity	Banking	US	217,000
Senior director of information protection	Insurance	US	74,000
Senior director of information security	B2B distribution	US	25,000

Key Challenges

Interviewees commented that although their organizations previously purchased external vendor cyber assurance reports and employed security engineering resources to manage and monitor critical vendors, the reports were often untimely, and the security engineering team lacked the automation and bandwidth to onboard and monitor existing and new critical vendors. This inability to scale revealed deficiencies in their third-party and supply chain cyber risk management programs that exposed them to damaging attacks on their IT infrastructures. These third-party attacks, which sometimes shut down their networks for an indeterminable amount of time led to productivity loss, frustrated employees, and the loss of real-time online sales. Additionally, cybersecurity breaches originating from extended vendor networks — especially those involving data and credential theft — led to reputational damage, resulting in a loss of existing and future customers and a further loss of revenue.

The interviewees noted how their organizations struggled with common challenges, including:

Ineffective, inefficient security hygiene that relied on manual processes and outside assurance reports. The interviewees’ organizations lacked the ability to procure real-time vendor security ratings, leading to inadequate risk assessments that relied on outdated data. Additionally, the absence of automation and real-time visibility into third-party security vulnerabilities caused the security engineering team to spend excessive time monitoring and managing existing vendor network threats.
Lack of resources to onboard all critical vendors, which exposed the organizations to unnecessary risk. The lack of internal resources required to annually assess existing critical vendors and onboard new ones exposed the interviewees’ organizations to unnecessary vulnerabilities. This caused them to experience the consequences of an increasing number of costly third-party attacks that impacted their networks and IT ecosystems.
Loss of revenue, reputation, and business opportunities due to insufficient monitoring and visibility. Without adequate security hygiene, the organizations were susceptible to vulnerabilities in their supply chains. This third-party security exposure invited damaging cyber attacks, directly leading to lost sales revenue, reputational damage, and missed business opportunities with other vendors.

Investment Objectives

The interviewees’ organizations searched for a solution that could:

Provide the ability to onboard critical vendors efficiently to improve service delivery and enhance potential business opportunities.
Offer a holistic third-party management tool with features that identify and address third-party risks across the ecosystem.
Enhance scalability to meet growing vendor monitoring and management needs.
Enable the organizations to self-monitor their own cyber risk exposure and ratings.
Help maintain security engineering headcount and avoid hiring additional security engineers to keep up with growing critical vendor volume.

“Assurance reports are retrospective and do not provide a forward-looking view or look at trends. Getting assurance reports and completing questionnaires from suppliers takes time and effort that my team didn't have. I'd say, in general, managing risk with only assurance reports is not nearly as effective as having a comprehensive toolset.”

Supply chain risk manager, energy

“SecurityScorecard has been transformative — going beyond being a cyber ratings provider and providing a unique and valuable perspective on third-party risk management.”

Senior manager of cybersecurity, banking

Composite Organization

Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the four interviewees, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:

Description of composite. The Fortune 500 organization is headquartered in the US with worldwide operations and reports $50 billion in annual revenue and 100,000 employees. In its legacy environment, the composite organization utilizes outdated risk assurance reports to assess vendor cyber risk and employs internal resources to onboard new critical vendors and monitor supply chain vulnerabilities and the organization’s exposure to external cyber threats and attacks.

Description of . has $0 in annual revenue and a security engineering team of 0 FTEs.

Deployment characteristics. The composite organization initially subscribes to SecurityScorecard’s traditional questionnaire and ratings services, and following a six-month evaluation and adoption period, deploys additional automated, AI-driven features offered on SecurityScorecard’s platform, including third-party cyber risk management, threat intelligence, and ASI.

Key Assumptions

Fortune 500 organization
$50 billion in annual revenue
100,000 employees
US-based with a global presence
20 FTEs on the security engineering team

Interview Spotlight: Senior Director Of Information Security, B2B Distributor

Previously, the risk assessment process was mostly manual. It involved using a series of manual tools to collect information directly from vendors, evaluate their websites, and rely on security information reports from vendors or outside organizations. There were soft costs associated with timeliness, such as lost revenue or missed business opportunities. Furthermore, the procurement process had two competing forces: The need to move quickly and the need for due diligence before signing a contract. Gathering necessary risk assessment information from vendors was hence a challenging task.

There were several reasons why it was important to implement a better system. Firstly, there were numerous headlines about companies being breached through third parties, with ransomware attacks on the rise. Convincing leadership of the need for a better system did not require much effort. Secondly, there was an increase in supply chain risks, both through public reporting and internal analysis. Understanding the attack surface and security posture of third parties became crucial. Lastly, there was a matter of scale and resources. Hiring enough people to manually perform this work was not feasible, and it would not have been the best investment. SecurityScorecard provided an easier way to consume information and relay it to the C-suite and to the board of directors.

Quantified benefit data as applied to the composite

Total Benefits

Ref.	Benefit	Year 1	Year 2	Year 3	Total	Present Value
Atr	Avoided security engineer hires for third-party risk management and monitoring	$789,327 $789,327	$1,578,654 $1,578,654	$2,367,981 $2,367,981	$4,735,962 $4,735,962	$3,801,342 $3,801,342
Btr	Strengthened third-party and supply chain security	$696,870 $696,870	$696,870 $696,870	$696,870 $696,870	$2,090,610 $2,090,610	$1,733,013 $1,733,013
Ctr	Efficiencies in critical vendor onboarding	$202,350 $202,350	$202,350 $202,350	$202,350 $202,350	$607,050 $607,050	$503,215 $503,215
	Total benefits (risk-adjusted)	$1,688,547 $1,688,547	$2,477,874 $2,477,874	$3,267,201 $3,267,201	$7,433,622 $7,433,622	$6,037,570 $6,037,570

Avoided Security Engineer Hires For Third-Party Risk Management And Monitoring

Evidence and data. The interviewees reported that to complete the same third-party risk management and monitoring tasks now performed by SecurityScorecard, their organizations’ security engineering teams would have needed to be expanded considerably in the prior environment.

The senior director of information security at a B2B distribution organization stated, “To manage our current critical vendors and onboard new ones as needed, we would need 10 additional FTEs at the security engineering level.”
The senior manager of cybersecurity in banking remarked, “We have realized enormous remediation efficiencies that would have been impossible before SecurityScorecard without adding significant headcount.”

Modeling and assumptions. For the financial analysis, Forrester assumes the following about the composite organization:

The number of avoided security engineering hires grows from seven in Year 1 to 14 in Year 2, and 21 in Year 3.
The security engineering team dedicates a total of 85% of their time to vendor risk monitoring, vulnerability management, recertifications, and penetration testing.
The average fully-burdened annual cost of a security engineer is $147,400.

Risks. The number of avoided security engineer hires can vary with:

The organization’s legacy third-party risk monitoring and management solutions.
The number of critical vendors requiring risk monitoring and management post-deployment.
The time dedicated to risk monitoring and management tasks, which depends on the security engineering team’s skill level and focus.
The annual salary of security engineers, which depends on skill level and geographical location.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $3.8 million.

For , with 0 critical vendors onboarded annually and the percent time dedicated to risk monitoring and management tasks totaling 0% for the security engineering team, each earning a salary of $0 per year, this benefit may have a three-year, risk-adjusted total PV of .

85%

Time dedicated to third-party risk management and monitoring

“To do what SecurityScorecard does for us would take a team of 10 new security engineers. It would be totally cost prohibitive to build a program like this and bring all the needed data together.”

Senior director of information protection, insurance

The following table shows custom results for .

Avoided Security Engineer Hires For Third-Party Risk Management And Monitoring

Ref.	Metric	Source	Year 1	Year 2	Year 3
A1	Security engineers required to meet monitoring, vulnerability management, recertifications, and penetration testing needs of new critical vendors	Your organizationYour organization	77	1414	2121
A2	Percentage of time dedicated to third-party risk management and monitoring	Your organizationYour organization	85%85%	85%85%	85%85%
A3	Average fully-burdened annual cost of a security engineer	Your organizationYour organization	$147,400 $147,400	$147,400 $147,400	$147,400 $147,400
At	Avoided security engineer hires for third-party risk management and monitoring	A1A2A3	$877,030 $877,030	$1,754,060 $1,754,060	$2,631,090 $2,631,090
	Risk adjustment	↓10%
Atr	Avoided security engineer hires for third-party risk management and monitoring (risk-adjusted)		$789,327 $789,327	$1,578,654 $1,578,654	$2,367,981 $2,367,981
Three-year total: $4,735,962 $4,735,962		Three-year present value: $3,801,342 $3,801,342

Strengthened Third-Party And Supply Chain Security

Evidence and data. Through the identification and mitigation of previously undetected vulnerabilities in their digital supply chains, interviewees noted that SecurityScorecard helped their organizations minimize their third-party risk exposure significantly, specifically those pertaining to network and surface attacks. By enhancing its cybersecurity hygiene within its vendor network, the organizations were able to successfully avoid network and system breaches.

The senior director of information security at a B2B distributor commented: “We experienced a breach before adopting SecurityScorecard, and there was a much longer arc to the notification period because it was wholly dependent on being notified by the third party. With SecurityScorecard, we learn about events immediately. We know that attacks are on the rise, and that without the level of visibility that SecurityScorecard offers, we would be compromised.”
The senior manager of cybersecurity at a large bank followed, "It allows us to have a more consistent response to exposures and resolve issues before they escalate into full-scale breaches."

Modeling and assumptions. For the financial analysis, Forrester assumes the following about the composite organization:

The likelihood of the composite organization experiencing one or more breaches in a year is 89%.²
The mean cumulative cost of total breaches per year totals $5.8 million for the composite organization.³
Twenty percent of breaches originate from third-party attacks.⁴
The composite organization reduces its risk of external third-party breaches with SecurityScorecard’s monitoring and management solutions by 75%.

Risks. Strengthened third-party and supply chain security can vary with:

The ability to identify and remediate third-party attacks in the legacy environment.
The frequency and cumulative cost of third-party attacks in the legacy environment.
The types of attacks in the legacy environment.
The size and industry of an organization.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.7 million.

For , with annual revenue of $0 and 20% of breaches originating from third-party attacks, this benefit may have a three-year, risk-adjusted total PV of .

75%

Reduction In breaches from external third-party attacks

“Where opportunity lies is looking at specific types of attack profiles and aligning them to specific issues impacting our organization. Ransomware is on the rise and threat actors are becoming more sophisticated. We couldn't keep up and do it all ourselves.”

Senior manager of cybersecurity, banking

The following table shows custom results for .

Strengthened Third-Party And Supply Chain Security

Ref.	Metric	Source	Year 1	Year 2	Year 3
B1	Likelihood of an enterprise organization experiencing at least one breach per year	Forrester Research	89%89%	89%89%	89%89%
B2	Mean cumulative cost of third-party breaches for enterprise organizations	Forrester Research	$5,800,000 $5,800,000	$5,800,000 $5,800,000	$5,800,000 $5,800,000
B3	Percentage of breaches originating from external third-party attacks	Forrester Research	20%20%	20%20%	20%20%
B4	Annual risk exposure from external third-party attacks	B1B2B3	$1,032,400 $1,032,400	$1,032,400 $1,032,400	$1,032,400 $1,032,400
B5	Reduced risk of breaches from external third-party attacks with SecurityScorecard	Interviews	75%75%	75%75%	75%75%
Bt	Strengthened third-party and supply chain security	B4*B5	$774,300 $774,300	$774,300 $774,300	$774,300 $774,300
	Risk adjustment	↓10%
Btr	Strengthened third-party and supply chain security (risk-adjusted)		$696,870 $696,870	$696,870 $696,870	$696,870 $696,870
Three-year total: $2,090,610 $2,090,610			Three-year present value: $1,733,013 $1,733,013

Efficiencies In Critical Vendor Onboarding

Evidence and data. Interviewees noted that SecurityScorecard’s automated solutions helped them achieve significant efficiencies in the onboarding of critical vendors. These efficiencies offered the organizations greater coverage within their supply chain as they could onboard and monitor a wider range of vendors that posed potential third-party cyber risk.

The senior director of information security at a B2B distributor shared: “Prior to using SecurityScorecard, onboarding could take a few months because you have to do a full security analysis to arrive at the risk level of a vendor. With SecurityScorecard, we can do the whole process now in just a couple of weeks — and most of that time is spent trying to get documentation from the vendor.”

Modeling and assumptions. For the financial analysis, Forrester assumes the following about the composite organization:

It onboards 200 new critical vendors annually.
With a 75% efficiency gain post-deployment, the composite organization’s security engineering team saves 15 hours per critical vendor in its onboarding efforts.
The average fully-burdened hourly cost of a security engineer is $71.

Risks. Efficiencies in critical vendor onboarding can vary with:

The number of critical vendors onboarded and monitored per year.
The security engineering team efficiency levels in the legacy environment.
The hourly rate of security engineers, which depends on skill level and geographical location.

Results. To account for these risks, Forrester adjusted this benefit downward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $503,000.

For , with 0 critical vendors onboarded annually, each requiring 0 hours to onboard at an hourly cost of $0, this benefit may have a three-year, risk-adjusted total PV of .

The following table shows custom results for .

Efficiencies In Critical Vendor Onboarding

Ref.	Metric	Source	Year 1	Year 2	Year 3
C1	Critical vendors onboarded annually	Your organizationYour organization	200200	200200	200200
C2	Average time required to onboard a new critical vendor prior to SecurityScorecard (hours)	Your organizationYour organization	2020	2020	2020
C3	Percentage of time saved onboarding new critical vendors	Interviews	75%75%	75%75%	75%75%
C4	Average time saved onboarding a new critical vendor (hours)	C2*C3	1515	1515	1515
C5	Average fully-burdened hourly cost of a security engineer	A3/2080 hours per year	$71 $71	$71 $71	$71 $71
Ct	Efficiencies in critical vendor onboarding	C1C4C5	$213,000 $213,000	$213,000 $213,000	$213,000 $213,000
	Risk adjustment	↓5%
Ctr	Efficiencies in critical vendor onboarding (risk-adjusted)		$202,350 $202,350	$202,350 $202,350	$202,350 $202,350
Three-year total: $607,050 $607,050		Three-year present value: $503,215 $503,215

15 hours

Time saved onboarding a new critical vendor with SecurityScorecard

“We have a very high level of trust in SecurityScorecard's ability to weed out risky vendors during the assessment and onboarding process. It has a high attribution accuracy and very low error rates."

Senior director of information security, B2B distribution

Unquantified Benefits

Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:

Enhanced reporting capabilities. SecurityScorecard’s reporting capabilities include trending analysis, which provided organizations insight into their third-party risk exposure over time. This empowered organizations to measure the impact of their third-party and supply chain security efforts and identify any deficiencies. The senior director of information protection in the insurance industry noted, “SecurityScorecard is effective at helping us build trending reports, showing areas where we need improvement in our third-party cyber risk operations.” The supply chain risk manager in the energy sector expanded: "External assurance reports are expensive and outdated. With SecurityScorecard, we have the analytics and trending insights we need to see actionable trends across the vendor risk landscape.”
Improved regulatory and compliance posture. SecurityScorecard helped organizations in meeting regulatory requirements and industry standards by providing continuous and accurate vendor risk monitoring, benchmarking, prioritizing, and reporting. The senior manager of cybersecurity at a large banking institution stated: “From a regulatory standpoint, we’re able to leverage the platform to present the best, most protected perimeter — offering customer confidence and reducing overall brand risk. The platform provides utility assessments that align to banking industry standards and allow us to validate quickly if there is a change in the cyber posture of our third parties." The senior director of information protection at an enterprise insurance organization noted, “For our critical vendors, we perform basic and onsite assessments, annual reviews, and continuous monitoring to comply with required industry regulations and meet the standards required by our outsourcing partners.”
Improved EX and team culture. Implementing effective security controls and practices enabled security engineers to experience smoother workflows, reduce interruptions from security incidents, and gain the ability to direct recaptured time to higher value, more strategic third-party cyber risk-related activities. The senior manager of cybersecurity at a banking organization observed: “SecurityScorecard has improved the overall culture of the security engineering organization. The capabilities offered in the platform have really energized the team. It’s been great to witness the energy that our partnership with SecurityScorecard has generated.” The supply chain risk manager at the energy organization shared, “SecurityScorecard automates workflows and gives our security engineering team the opportunity to do more with less, upgrade their skillset, and continue to improve ways of measuring third-party risk.”

"We no longer have to wait half a year to get a vendor assurance report. With SecurityScorecard's reporting capabilities, we have immediate information and insights into trends. Even with our high number of suppliers, we can be in proactive mode, not reactive, and quickly focus on where the risk is and address it.”

Supply chain risk manager, energy

Flexibility

The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement SecurityScorecard solutions and later realize additional uses and business opportunities, including:

Strengthened supplier relationships. Interviewees reported that SecurityScorecard helped their organizations improve relationships with at-risk vendors. The senior manager of cybersecurity at a banking institution stated, “SecurityScorecard enables us to have more collaborative and proactive conversations with our vendors, fostering better partnerships and a better risk management approach." The supply chain risk manager in the energy organization noted, “The security ratings from SecurityScorecard are industry-recognized, which adds credibility to our third-party security concerns and helps us communicate and improve our relationships with our suppliers.”
Ability to self-monitor. Interviewees mentioned that SecurityScorecard encouraged their organizations to self-monitor their security posture and take proactive measures to address and remediate identified vulnerabilities in real time. The senior manager of cybersecurity in the banking space shared, "SecurityScorecard provides a comprehensive view of the digital supply chain and allows us to curate and certify our own scorecard to ensure the best and most protected perimeter.” The senior director of information security at a B2B distribution organization commented: “We use SecurityScorecard internally to monitor our own security position and then address and remediate any weaknesses. It is useful to know how our customers see us from a cyber risk perspective. We can leverage that knowledge through business channels, more specifically in conversations and negotiations with customers to either retain or gain them.”
Greater accuracy and visibility into risk vectors. Equipped with greater visibility across their third-party and supply chain landscapes, organizations could better identify and evaluate existing vendor risk vectors such as application and network security. By analyzing and understanding these risk vectors, SecurityScorecard enabled organizations to quickly address security weaknesses across their vendor networks. The supply chain risk manager at an energy organization noted: "The benefits of Security Scorecard include better visibility, speed, and a holistic view of a vendor’s security posture. It gives us a clear, accurate picture of the risk vectors impacting the digital services we receive from our suppliers."

Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Appendix A).

“SecurityScorecard enables us to pinpoint potential high-level third-party risks. By identifying and informing suppliers about their network weaknesses, we can mitigate our own exposure. Moreover, the platform helps us identify suppliers who may not be adhering to the cybersecurity standards we originally agreed upon.”

Senior director of information protection, insurance

Quantified cost data as applied to the composite

Total Costs

Ref.	Cost	Initial	Year 1	Year 2	Year 3	Total	Present Value
Dtr	Fees to SecurityScorecard	$131,250 $131,250	$346,500 $346,500	$561,750 $561,750	$777,000 $777,000	$1,816,500 $1,816,500	$1,494,278 $1,494,278
Etr	Initial and ongoing costs	$398,853 $398,853	$80,514 $80,514	$119,280 $119,280	$158,046 $158,046	$756,693 $756,693	$689,368 $689,368
	Total costs (risk-adjusted)	$530,103 $530,103	$427,014 $427,014	$681,030 $681,030	$935,046 $935,046	$2,573,193 $2,573,193	$2,183,646 $2,183,646

Fees To SecurityScorecard

Evidence and data.

Interviewees reported that SecurityScorecard charged their organizations an annual license fee per vendor for questionnaires and contracted platform features. The organizations also incurred an annual cost for ASI.
Pricing may vary. Contact SecurityScorecard for additional details.

Modeling and assumptions. For the financial analysis, Forrester assumes the following about the composite organization:

It onboards its existing 100 critical vendors in the initial period.
It onboards 200 new critical vendors annually in Years 1, 2, and 3.
By Year 3, 700 critical vendors are monitored and managed by SecurityScorecard.
SecurityScorecard charges an annual license fee of $1,025 per vendor. This fee includes its questionnaire and ratings service as well as platform features that include third-party cyber risk management and threat intelligence.
SecurityScorecard charges an additional annual fee of $22,500 for its ASI service.

Risks. Total fees to SecurityScorecard can vary with:

The existing skillset and expertise of its security engineering team.
The existing number of critical vendors.
The number of critical vendors onboarded per year.
The number of platform features the organization deploys.

Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of close to $1.5 million.

For , these costs may have a three-year, risk-adjusted total PV of . Please note that this is based on a high-level estimation and does not represent a quote. For more details, please contact SecurityScorecard.

$1,025

Annual per vendor license cost that includes questionnaires and platform features

“SecurityScorecard has been good about keeping their costs manageable and in alignment with our vendor risk assessment model. We have not experienced any arbitrary price increases. And their customer success managers are great.”

Senior director of information security, B2B distribution

The following table shows custom results for .

Fees To SecurityScorecard

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
D1	Critical vendors monitored by SecurityScorecard	Your organizationYour organization	100100	300300	500500	700700
D2	Annual license cost of SecurityScorecard per critical vendor (includes platform and questionnaires)	Interviews	$1,025 $1,025	$1,025 $1,025	$1,025 $1,025	$1,025 $1,025
D3	Annual cost of ASI	Interviews	$22,500 $22,500	$22,500 $22,500	$22,500 $22,500	$22,500 $22,500
Dt	Fees to SecurityScorecard	(D1*D2)+D3	$125,000 $125,000	$330,000 $330,000	$535,000 $535,000	$740,000 $740,000
	Risk adjustment	↑5%
Dtr	Fees to SecurityScorecard (risk-adjusted)		$131,250 $131,250	$346,500 $346,500	$561,750 $561,750	$777,000 $777,000
Three-year total: $1,816,500 $1,816,500			Three-year present value: $1,494,278 $1,494,278

Initial And Ongoing Costs

Evidence and data. The initial and ongoing costs of the interviewees’ organizations included the costs of the resources required to evaluate, test, and deploy SecurityScorecard, any required training, and the ongoing management of the adopted platform solutions.

Modeling and assumptions. For the financial analysis, Forrester assumes the following about the composite organization:

Its evaluation and adoption of SecurityScorecard require five security engineering FTEs 100% dedicated for six months.
Initial training totals 8 hours per member on the security engineering team.
Ongoing training totals 2 hours per year in Years 1, 2, and 3.
Ongoing management requires one security engineer, and 20 hours of their time per week.
The average fully-burdened annual cost of a security engineer is $147,400.
The average fully-burdened hourly cost of a security engineer is $71.

Risks. Total initial and ongoing costs can vary with:

The organization’s familiarity with third-party and supply chain security solutions in general.
The organization’s legacy environment.
The hourly rates of security engineers, which depend on skill level and geographical location.

Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $690,000.

For , these costs may have a three-year, risk-adjusted total PV of .

Five security engineers dedicated for six months

Resources required to evaluate and adopt SecurityScorecard solutions

The following table shows custom results for .

Initial And Ongoing Costs

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
E1	Security engineer FTEs required to evaluate and adopt SecurityScorecard	Your organizationYour organization	55
E2	Months required to evaluate and adopt SecurityScorecard	Interviews	66
E3	Average fully-burdened annual cost of a security engineer	A3	$147,400 $147,400
E4	Subtotal: Initial cost to evaluate and adopt SecurityScorecard	E1(E2/12)E3	$368,500 $368,500
E5	Security engineers who require initial and ongoing training	Your organizationYour organization	2020	2020	2020	2020
E6	Time required for initial and ongoing training (hours)	Interviews	88	22	22	22
E7	Average fully-burdened hourly cost of a security engineer	C5	$71 $71	$71 $71	$71 $71	$71 $71
E8	Subtotal: Initial and ongoing training costs	E5E6E7	$11,360 $11,360	$2,840 $2,840	$2,840 $2,840	$2,840 $2,840
E9	Security engineer FTEs required for ongoing management	Your organizationYour organization		11	11	11
E10	Time per week required for ongoing management of SecurityScorecard platform (hours)	Interviews		2020	3030	4040
E11	Average fully-burdened hourly cost of a security engineer	C5		$71 $71	$71 $71	$71 $71
E12	Subtotal: Ongoing management costs	E9(E1052 weeks)*E11		$73,840 $73,840	$110,760 $110,760	$147,680 $147,680
Et	Initial and ongoing costs	E4+E8+E12	$379,860 $379,860	$76,680 $76,680	$113,600 $113,600	$150,520 $150,520
	Risk adjustment	↑5%
Etr	Initial and ongoing costs (risk-adjusted)		$398,853 $398,853	$80,514 $80,514	$119,280 $119,280	$158,046 $158,046
Three-year total: $756,693 $756,693			Three-year present value: $689,368 $689,368

Consolidated Three-Year Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

Total costs Total benefits Cumulative net benefits

The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.

These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.

Cash Flow Analysis (Risk-Adjusted Estimates)

	Initial	Year 1	Year 2	Year 3	Total	Present Value
Total costs	($530,103)($530,103)	($427,014)($427,014)	($681,030)($681,030)	($935,046)($935,046)	($2,573,193)($2,573,193)	($2,183,646)($2,183,646)
Total benefits	$0 $0	$1,688,547 $1,688,547	$2,477,874 $2,477,874	$3,267,201 $3,267,201	$7,433,622 $7,433,622	$6,037,570 $6,037,570
Net benefits	($530,103)($530,103)	$1,261,533 $1,261,533	$1,796,844 $1,796,844	$2,332,155 $2,332,155	$4,860,429 $4,860,429	$3,853,924 $3,853,924
ROI						176%176%
Payback period (months)						<6<6

Appendix A: Total Economic Impact

Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.

Total Economic Impact Approach

Benefits represent the value delivered to the business by the product. The TEI methodology places equal weight on the measure of benefits and the measure of costs, allowing for a full examination of the effect of the technology on the entire organization.
Costs consider all expenses necessary to deliver the proposed value, or benefits, of the product. The cost category within TEI captures incremental costs over the existing environment for ongoing costs associated with the solution.
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. Having the ability to capture that benefit has a PV that can be estimated.
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”

PRESENT VALUE (PV)

The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PV of costs and benefits feed into the total NPV of cash flows.
NET PRESENT VALUE (NPV)

The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.
RETURN ON INVESTMENT (ROI)

A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.
DISCOUNT RATE

The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.
PAYBACK PERIOD

The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.

The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.

Appendix B: Supplemental Material

“Trends Report: Cybersecurity Risk Ratings Remain A Valuable Piece Of The Third-Party Risk Puzzle,” Forrester Research Inc., April 7, 2023.

Appendix C: Endnotes

¹ Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.

² Source: Forrester’s Security Survey, 2023; survey base involves 432 security decision-makers from organizations with a revenue of at least $1 billion with network, data center, app security, or security ops responsibilities who have experienced a breach in the past 12 months.

³ Source: Forrester’s Security Survey, 2023; survey base involves 72 security decision-makers from organizations with a revenue of at least $1 billion with network, data center, app security, or security ops responsibilities who have experienced a breach in the past 12 months.

⁴ Source: Forrester’s Security Survey, 2023; survey base involves 385 security decision-makers from organizations with a revenue of at least $1 billion with network, data center, app security, or security ops responsibilities who have experienced a breach in the past 12 months.

ABOUT FORRESTER CONSULTING

Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.

© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.

Cookie Settings

This website uses cookies to deliver functionality and enhance your experience. GDPR requires that we obtain your consent before activating these cookies. Please accept the use of cookies or review your cookie settings now.

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions (data inputs, website navigation), so you don’t have to re-enter data when you come back to the site or browse from one page to another.

Behavioral information collected by our web analytics vendor is used to analyze data pertaining to visitor trends, plan website enhancements, and measure overall website effectiveness. We may also use cookies or web beacons to help us offer you products, programs, or services that may be of interest to you and to deliver relevant advertising. We may use third-party advertising companies to help tailor website content to users or to serve ads on our behalf. These companies may also employ cookies and web beacons to measure advertising effectiveness.

Please accept cookies and the collection of behavioral information to receive full functionality and enhance your experience. If you decline cookies, some features of the website may not function normally.

Please see our Privacy Policy for more information.

Customize These Results

Customize These Results

Executive Summary

Key Findings

Table Of Contents

Key Statistics

176%176%

$6.03M$6.03M

$3.85M$3.85M

6 months6 months

Benefits (Three-Year)

TEI Framework And Methodology

Due Diligence

Interviews

Composite Organization

Financial Model Framework

Case Study

Disclosures

The SecurityScorecard Customer Journey

Drivers leading to the SecurityScorecard investment

Interviews

Key Challenges

Investment Objectives

Composite Organization

Key Assumptions

Interview Spotlight: Senior Director Of Information Security, B2B Distributor

Analysis Of Benefits

Quantified benefit data as applied to the composite

Total Benefits

Avoided Security Engineer Hires For Third-Party Risk Management And Monitoring

Avoided Security Engineer Hires For Third-Party Risk Management And Monitoring

Strengthened Third-Party And Supply Chain Security

Strengthened Third-Party And Supply Chain Security

Efficiencies In Critical Vendor Onboarding

Efficiencies In Critical Vendor Onboarding

Unquantified Benefits

Flexibility

Analysis Of Costs

Quantified cost data as applied to the composite

Total Costs

Fees To SecurityScorecard

Fees To SecurityScorecard

Initial And Ongoing Costs

Initial And Ongoing Costs

Financial Summary

Consolidated Three-Year Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

Cash Flow Analysis (Risk-Adjusted Estimates)

Appendixes

Appendix A: Total Economic Impact

Total Economic Impact Approach

PRESENT VALUE (PV)

NET PRESENT VALUE (NPV)

RETURN ON INVESTMENT (ROI)

DISCOUNT RATE

PAYBACK PERIOD

Appendix B: Supplemental Material

Appendix C: Endnotes

ABOUT FORRESTER CONSULTING