In the security space, ROI is a horribly difficult question to address. 

It's helping us better manage our configuration adherence, our baseline adherence, as well as vulnerabilities, so there is an ROI but it hasn't been quantified. It's a qualitative ROI. I couldn't give you a quantitative response.

The areas of ROI include the visibility, the scanning, and being able to identify those vulnerabilities and then feed them through the pipeline to get those prioritized results. Without the scanner and Tenable doing the initial scans, none of the rest of the flow - addressing those vulnerabilities, and reducing our risk and exposure - would be possible. 

It also helps with certain PCI compliance because you have to have scans.

We don't get down to the nitty-gritty cost of specific risks. We report a risk as we see it, and there's a different audit organization within our organization that does IT risk management. It will take all the risks and combine that with the financial impacts. I couldn't tell you, "We're saving a million dollars." Our team doesn't look at it at that level. We identify the vulnerabilities as they exist and prioritize them for other teams to consume.