Does Application Security Pay?

The last decade has seen a dramatic shift in the way companies manage information security and protect vital data. In the past, businesses confronted the threat of cyber attacks and data breaches primarily by building firewalls and other “perimeter defences” around their networks, but the threat has continued to evolve, and more criminals are hacking into applications that are running on a plethora of new devices and environments, including cloud, mobile, and social media.

As a result, the focus of threat protection is moving from securing the infrastructure to securing the software applications that businesses write and deploy. The shift has created a market for a new generation of products and services – known as software security assurance (SSA) solutions – that help companies uncover vulnerabilities in their code, effectively fix these defects, and produce software that is impervious to security threats.

In an effort to quantify the business value of SSA, Fortify Software (the leading provider of SSA solutions) commissioned Mainstay Partners to conduct in-depth interviews of 17 global customers – organisations that have implemented SSA, and representing a cross-section of industries. The study found that companies are realising substantial benefits from SSA right out of the box, saving as much as $2.4M per year from a range of efficiency and productivity improvements, including faster, less-costly code scanning and vulnerability remediation and streamlined compliance and penetration testing.

Exponential increases in benefits, however, are being achieved by companies that deploy SSA in more comprehensive and innovative ways. These advanced deployments include embedding software security controls and best practices throughout the development lifecycle, extending SSA programs into critical customer-facing product areas, and leveraging SSA to seize unique value-generating opportunities.

For these strategic companies, the benefits of software security solutions can add up to as much as $37M per year. In our interconnected world, software is everywhere – not just in data centres or on desktop computers, but in mobile phones and all kinds of wireless devices and consumer products. Software resides on the Web and in the cloud, where businesses rely on software-as-a-service solutions (SaaS) for mission-critical business functions.

Application security protects the software that is running in all these environments and devices, and the business improvements of SSA are seen as extending to wherever applications are deployed. At a time when IT budgets are coming under closer scrutiny, chief information security officers (CISOs) say they are being called upon to justify SSA investments from a cost benefit perspective. This article provides the evidence needed for information security executives to communicate the business value of software security solutions in a language that the board can relate to.

Faster vulnerability remediation

Across the board, companies adopting SSA solutions report significant efficiency improvements in finding and remediating software security flaws: By introducing automated SSA technology and best practices, organisations reduced average remediation from 1 to 2 weeks to 1 to 2 hours. Organisations saved an estimated $44K annually in remediation costs per application. For the average organisation, these cost savings are estimated conservatively to amount to $3M per year.

Streamline compliance and penetration testing

Companies are facing tighter government and industry regulations for application security, particularly in new software standards in the financial services and health-care industries. By configuring the SSA solution to address specific compliance mandates, for example, organisations quickly identified and ranked vulnerabilities according to severity.

The solution also generates a report that documents these activities, creating an audit trail for regulators: The average organisation adopting SSA saw its fees paid to compliance auditors fall by 89% – or about $15K annually. The average organisation achieved a 50% reduction in penetration testing efforts, translating into annual savings of more than $250K.

Avoid data breaches

The threat of a major data breach can keep CISOs awake at night, and most are aware of the history of high-profile security failures that have damaged company reputations and resulted in millions of dollars in legal and PR fees, remediation expenses, lost revenue, and customer churn: The average cost of a data breach is about $3.8M, or $204 per compromised record Companies can save an estimated $380K per year by adopting SSA solutions to avoid major data breaches.

Avoid software compliance penalties

Businesses that fail to comply with industry standards for software security can face substantial penalties. In the payment card industry, for example, penalties can range from $5K to $25K per month. Moreover, when lost sales, customer churn, and remediation expenses are also factored in, the full cost of PCI non-compliance can be substantially more: By ensuring compliance through systematic application security testing, companies can conservatively avoid approximately $100K in penalties annually.

Pay-for-performance benefits

In an innovative use of software security technology, companies that outsource software development to partners are leveraging solutions to drive cost-effective “pay for performance” programs. Companies using SSA to screen and adjust the price of outsourced code can capture fee savings of about $100K annually while improving the overall quality of code delivered by development partners.

Faster product launches boost revenue and margins

For companies that sell e-commerce and other commercial software, discovering security flaws late in the development life cycle can delay new product introductions (NPI) by weeks or months, putting revenue and market share at risk and adding millions of dollars in development costs. Companies can capture an estimated $8.3M of additional software revenue through a comprehensive SSA program to minimise product delays. Companies can realise development cost savings of about $15M per year from SSA-driven reductions in product delays.

Maximise the value of M&A deals

Companies can extend the value of their software security solution by deploying it in strategic ways, i.e. using it to perform software security audits of acquisition targets that own core products critically dependent on software. In the case of a company completing two $100M deals a year, using SSA to assess the software assets of prospective acquisitions can yield valuation benefits of approximately $10M.

Realising The Full Potential Of SSA

For companies able to exploit all of the opportunities for value creation, that potential can reach $37M annually. There are three stages that organisations typically go through on the path to SSA maturity:

  • Explore: These organisations deploy an SSA solution across a small number of applications (10–20) and developer teams as a proof-of-concept initiative.
  • Accelerate: These organisations are moving beyond “toe-in-the-water” pilot programs and are actively incorporating threat detection and remediation techniques across key development teams and applications.
  • Optimise: These organisations have embedded software security tools, processes, and training within a formal SDLC program. Many are also leveraging SSA solutions in innovative ways to generate additional business value and create competitive differentiation. As this article has demonstrated, SSA solutions not only help companies minimise the risk of a successful cyber attack, but also offer substantial efficiency and productivity benefits that help control costs, speed software development cycles, and in some cases even boost revenue and asset values.

Amir Hartman is the Founder and Managing Director of Mainstay Partners, in San Mateo, California, which helps B2B companies quantify and communicate the value their solutions deliver to customers. One of the leading global authorities on corporate and technology transformations, Amir is an international bestselling author and sought-after advisor to senior business leaders in a broad cross-section of industries. He is on the faculty at Berkeley’s Haas School of Business, and Columbia’s Graduate School of Business where he teaches in their MBA and Executive MBA programs. He is a renowned expert in corporate turnarounds, technology and innovation strategy, business and IT governance. Prior to Mainstay Partners, Amir was at Cisco Systems where he was responsible IT strategy and governance.