Industry group tackles metrics for ROI on security solutions

How to justify security investments—both on the part of software developers and companies evaluating purchases—is the focus of a new group launched late last year. The Application Security Industry Consortium (AppSIC) is going after the thorny issue of ROI on security practices for the full development life cycle, an issue that has proven difficult to quantify for individual companies.

"We have two specific goals: to provide metric guidance, and deliver a methodology for evaluating platform and application security," says Herbert Thompson, chairman of AppSIC, and chief security strategist for technology and services provider Security Innovation, a member of the consortium.

"Among the challenges are to show value for security activities when we're building software, and to show customers how to determine value when they're buying," continues Thompson. "For the vendors, it's about determining whether adding a security feature will positively impact the end quality of security—that is, what is our ROI? The analyst community asks the same thing: how do we know what platforms and systems to recommend regarding security?"

AppSIC members include representatives from Microsoft, SAP, Oracle, Red Hat, Gartner, and the Florida Institute of Technology—among others.

The group will map security measures to business needs, as well as the issues that CEOs and CIOs care about. AppSIC also hopes to elevate discussion above the use of mere scare tactics for justifying investments. The first set of deliverables includes white papers on best practices, and a set of questions user companies should ask when evaluating software purchases.

"We're trying to get people to understand security associated with software applications," says Charles Kolodgy, research director with Framingham, Mass.-based IDC, and an AppSIC member. "As perimeter security has improved, and as people deploy more defenses in different areas, hackers have decided to attack applications much more than they used to. We're attempting to assess the risk of applications and find meaningful metrics for security."

Doug Jacobson, director of the Iowa State University Information Assurance Center, concurs. "Security is like insurance: it's hard to justify," he says. "AppSIC is bringing that to the forefront by seeking models that IT people can use to demonstrate potential ROI. This would go a long way toward making applications more secure."