It's no secret: There are hidden cost savings in most AppSec programs that go well beyond risk avoidance. But for CISOs, the trick is conveying those business propositions to executives who are driven by the bottom line and don't want to pay for intangibles. In a Veracode webinar, Sean Owens and Phil Neray demystify these hidden returns on investment (ROIs) that can be hard to explain to execs. Here's a closer look at some of their findings. Use them to help you more effectively explain your application security program — and why it matters.
ROI is measured as money earned on (or saved by) an investment. And when it comes to software investment, the first place to look is in efficiency gains. An automated patch solution reduces the amount of time required from your IT staff versus a manual process, which results in net cost savings. And, as Pete Lindstrom is quoted as saying in the webinar, "ROI is gained by increasing the productivity of your IT staff through automation." So every process in an application security program that's improved by or automated with software makes for increased productivity — and that means a higher bottom line.
Security is a hindrance to business growth if a firm's security solution is not equipped to efficiently grow alongside it. Not only are manual processes time-consuming, but they also have capacity limits. Automated software can more easily take on a greater volume of large tasks than humans, meaning that as your business grows, your security won't slow you down. Instead of leaving you with an overwhelmed IT department or costly new hires, cloud-based security solutions can easily handle increased capacity, allowing for happy, lean IT departments that keep enterprises protected as your business flourishes.
A faster, more efficient AppSec program means that products can be rolled out earlier — in some cases two to four weeks sooner — than with traditional security solutions. Earlier product rollout means increased revenue by virtue of "free" sales time gained. Being the first to market, especially in the competitive tech industry, can have a much larger effect than simply time gained on market.
With great security baked into how code is built, both the number of flaws per megabyte of code and the cost per flaw decrease significantly. As developers fix flaws, they learn to make fewer mistakes when writing new code. Fewer mistakes that are less expensive to fix? That sounds like something Beyoncé should write a song about.
Great AppSec goes beyond preventing the "Big One." You've always known that, but now you can better articulate it to everyone else. As you move forward, remember the questions you can ask to prove the importance of a great application security program: Does your current solution get you where you want to be? Can it? Could it be a hindrance to future growth?
If any part of your security solution is slowing business growth or costing you too much time and money, the case for better AppSec is much stronger than simply preventing Target-sized hacks — it's money saved every day in so many ways. And that's a #flawless argument.
Photo Source: Flickr