How many times have you tried to preach software security only to have someone ask you to show the return on investment (ROI)? As of late, I’m starting to see so many papers and articles trying to develop metrics (qualitative or quantitative) to show the effectiveness of security that I thought I’d chime in and try to present my argument as to why I think this isn’t sensible.


Business is basically about increasing the money coming in (revenue) and decreasing the money going out (operational cost) and as such, any initiative taken by a business can be, loosely speaking, categorized into two categories: offensive initiative and defensive initiative. For example, investing in new technologies, investing in marketing or investing in R&D can all be seen as offensive initiatives executed to increase revenue. Initiatives taken to streamline processes using technology or increasing efficiencies of IT operations can be viewed as defensive initiatives taken to reduce the cost of doing business. Software security is a defensive initiative.


Allow me to elaborate. Most large organizations have an internal legal department. This is not a department that produces revenue for the organization, rather it’s there to protect the revenue that the organization makes. How do you show ROI on a legal department? How do you know that it was because of a certain blurb in a legal statement that stopped a potential lawsuit? Or better yet, without claiming clairvoyance perhaps, how could you tell that a policy created and enforced by your legal department to define how financial information is handled within your company is going to protect your organization millions of dollars in complete process re-engineering costs in the future when compliance with SOX becomes mandatory.


There is no doubt we have quite the ways to go in the software security space and we are (on average I think J) on the right path. Part of the problem, I believe, is that people are trying to perceive security as a offensive initiative. Yes, in certain cases, it can be seen as such. For example, in the case where the only way you can interact with a certain business partner is to have a good security posture through which your software can interact with you business partner’s software. What I don’t like is when you go to websites (and pretty much ALL websites are at fault of this) they promote the use of SSL or the fact that they are verified by this organization or that organization to be secure. When is the last time you heard a car manufacturer, or a car salesman for that matter, boast about the fact that a car has locks on the door? This is a cultural change and I think this will take some time to get over… security should just be there. Cost of security is the cost of doing business… instead of looking for ROI, we need to be looking for ways to increase the effectiveness and reducing the costs of security tools and processes. That is the essence of things like Microsoft SDL or its derivative SDL-IT that we follow in Microsoft IT. And this is certainly the premise of what we’re doing around threat modeling and its derivatives we’re working on now…




BTW: I mentioned the phrase “good security posture”… what exactly is a “good” security posture? Or better yet, the question should be: what is an “acceptable” security posture? Now this is a very interesting question and one that does need to be answered… J