Manufacturing Business Technology

Manufacturing Business Technology
March 1, 2006
VIEWS FROM THE FRONT; Apps Protection; Pg. 6
Industry group tackles metrics for ROI on security solutions
By Staff
How to justify security investments-both on the part of software developers and
companies evaluating purchases-is the focus of a new group launched late last year.
The Application Security Industry Consortium (AppSIC) is going after the thorny issue of
ROI on security practices for the full development life cycle, an issue that has proven
difficult to quantify for individual companies.
"We have two specific goals: to provide metric guidance, and deliver a methodology for
evaluating platform and application security," says Herbert Thompson, chairman of
AppSIC, and chief security strategist for technology and services provider Security
Innovation , a member of the consortium.
"Among the challenges are to show value for security activities when we're building
software, and to show customers how to determine value when they're buying,"
continues Thompson. "For the vendors, it's about determining whether adding a security
feature will positively impact the end quality of security-that is, what is our ROI? The
analyst community asks the same thing: how do we know what platforms and systems to
recommend regarding security?"
AppSIC members include representatives from Microsoft, SAP, Oracle, Red Hat,
Gartner, and the Florida Institute of Technology-among others.
The group will map security measures to business needs, as well as the issues that
CEOs and CIOs care about. AppSIC also hopes to elevate discussion above the use of
mere scare tactics for justifying investments. The first set of deliverables includes white
papers on best practices, and a set of questions user companies should ask when
evaluating software purchases.
"We're trying to get people to understand security associated with software applications,"
says Charles Kolodgy, research director with Framingham, Mass.-based IDC , and an
AppSIC member. "As perimeter security has improved, and as people deploy more
defenses in different areas, hackers have decided to attack applications much more than
they used to. We're attempting to assess the risk of applications and find meaningful
metrics for security."
Doug Jacobson, director of the Iowa State University Information Assurance Center,
concurs. "Security is like insurance: it's hard to justify," he says. "AppSIC is bringing that
to the forefront by seeking models that IT people can use to demonstrate potential ROI.
This would go a long way toward making applications more secure."