Crashtest Security Blog

How you can generate a positive ROI through web application security

Jan 28, 2019 8:55:00 AM / by Leonard Basse

ROI-web-app-security

 

The fact, that Cyber Crime is a serious threat and is becoming more and more costly and dangerous for companies is widely known by now. Most companies know, that cyber security is an issue, however the annual revenue of cyber crime still exceeds the investments in cyber security.

So why are there such limited IT budgets even though major hacking attacks happen on a regular basis? Can investments into IT security pay off in the long run? Maybe even in the short run? It’s time for us to look at the return, that companies get from investing in sufficient web application security!

 

Now to the critical question: Why pay a lot of money for something that does not directly generate revenue and can be done by your employees?

Simply because it is most likely not your core competence and your developers’ time is much better spend on creating revenue generating features. So let us have a look at how you can generate a positive ROI by investing in an automated vulnerability scanning solution.

We’ll start with the investments, since they are the more obvious and intuitive part.

Firstly, you will need to search for and then invest in services and products that support your employees and protect your data. You will compare different solutions, to find the one that’s most efficient for your organisation. A company with 250+ employees and a large development team must decide whether a standardized tool is still the right choice or whether it has to invest in an on-premise solution.

Computing the expected costs will be simple once you figured out the most efficient solution for your business. Important factors, when it comes to the cost of the service are the number of developers, the number of projects and the yearly penetration tests you intend to do. Depending on how many penetration tests your company usually does, you will find out rather quick that automating your web application security will be much less costly then performing many manual pentests.

In addition to a security solution for your web application, you will also need to invest in your human capital. The latest hacking attacks have shown, that IT security is still mostly a human problem, so you will need to train you staff on secure coding practices or simply on daily measures they can take to protect your business (e.g. by using Two-Factor-Authentication). A well designed security solution might help you with secure coding practices, since the code of your developers will eventually get better from one deployment to another, because of the instant feedback they are getting on existing problems.

Example calculation (company with 20 different web applications and APIs and 50 software developers):
Average monthly cost of your favourite web application security solution: 1,180€
Manual pentesting cost per year: 10,000 €
Estimated cost of a security workshop for 50 people: 30,000€
12 months x 1,180€ + 10,000€ + 2 security workshops per year x 30,000€ = 84,160€
Monthly Cost for IT Security = 7,013€

Ok so we spend some money now… but how do we get a return for that?

Simply put, ROI can be generated through cost savings, increased productivity or revenue growth.

 

Cost savings seem to be the most obvious out of the three. But what are major sources of costs that can occur without a functioning information security solution?

Let’s say your webshop has been hacked and you are now experiencing some downtime during which no customer is able to reach your website to order something or inform themselves. Depending on your average revenue you can compute how much money you will instantly lose through the stop in operations.

Another cost factor might be the reputation loss your shop will experience if customers know that it is not as reliable as a competitor’s webshop. This would lead to revenue cuts that can be seen as costs in the long run.

Any web application nowadays is dealing with sensible customer data like addresses, phone numbers or credit card information. If hackers are able to extract that data, you are not only experiencing the revenue cuts, but might also have to deal with regulative costs (GDPR is nothing to mess with) that could have a massive impact on your profitability.

Taking the probability of such events and the costs that would arise, you can compute the expected loss you experience without a functioning information security system.

According to the 2017 Cost of a data breach report the average total cost of data breach is $3.62 million (or €3.19 million) and without any protection, the probability of such a data breach within the next two years is 27.7%.

Expected Loss = 3,190,000€ x 27.7% = 883,630€(over the next two years)
Expected Loss per month = 36,818

Of course, that sum needs to be adjusted for every company depending on its revenue size, number of users and its current level of information security.

We’ve seen now, how web application security can save any company a significant amount of money in the medium to long term.

 

How about other parts of the ROI? Can IT security improve productivity?

Depending on the solution you choose and how well the integration works, IT security can indeed enhance the productivity of your development team.

The key to that is automation. If your web application is being scanned every week or before every deployment, software developers can fix existing vulnerabilities in an early stage, giving them more time to focus on actually creating new features. Security will then no longer be an issue to spend time on, but just a checkbox that can be ticked with every deployment.

Additionally — as we mentioned before — your developers’ productivity will rise because the constant advice that a web application security solution offers will help them to get better at secure coding practices.

To sum it up: by automating your web application security, your company can save up to 8h per developer per month which will have a major impact on your productivity and therefore the affiliated costs.

Productivity savings:
50 Developers x 8h x 50 €/hour = 20,000€ per month

 

So far, information security can benefit 2 out of 3 elements of an ROI. But how could a solution made to cut costs actually create additional revenue?

Information security is no longer a topic that only software developers and CSOs think about. Many customers (B2B and B2C) are worried about their data and want it to be save in your application. By making the security of customer and business data one of your strengths it can lead to a competitive advantage that you can leverage when it comes to customer acquisition.

The latest data breach that extracted passwords of approx. 700 million people made ordinary users more and more cautious about what services they sign up to and where they purchase online. By securing your customer data, you can make sure, they keep coming to your website first and therefore generate a stable revenue for your company.

To sum up it up:

Cost =7,013€ | Cost savings = 36,818€ | Productivity growth = 20,000€
Potential monthly profit = 49,805€
ROI = ca. 710%

 

As you can see, there is more than one factor of the ROI, that is positively affected by web application security. Let’s summarize, what we’ve learned:

  • An efficient IT security solution helps your employees
  • Sufficient protection lowers the risk of high costs for an occurring data breach
  • Security automation can enhance your developers productivity and help them with secure coding practices
  • Companies can use their level of data protection to gain a competitive advantage and keep their customers coming

Topics: SecurityManagement

Leonard Basse

Written by Leonard Basse

I write about IT Security news, practices and events.