Fortify Software and Mainstay Partners Survey Security Executives to Find the Real ROI of Software Security
Study Finds Software Security Assurance Savings Equals $2.4M per Year, and Savings Increase Exponentially with Broad SSA Adoption
NEW YORK, Sept. 13 - CSO Security Standard -- Fortify Software, the market leader in Software Security Assurance (SSA) solutions, today released the results of an in-depth study with Mainstay Partners to find the true Return on Investment (ROI) of software security assurance solutions at the CSO Security Standard Conference in New York, NY. Roger Thornton, Founder & CTO of Fortify, will unveil the results of this first-of-its-kind study during his keynote presentation at the show, "Now Moving to the Corner Office: The Business Value of Software Security."
After conducting and analyzing the results of executive interviews with 17 of Fortify's global customers, including Fortune 500 companies across the financial services and government sectors, Mainstay was able to identify, qualify and quantify the full range of benefits organizations are seeing from their SSA investments. The survey revealed that, with baseline savings at $2.4M per year, companies are finding that investing in efficiency and productivity improvements, including faster, less-costly code scanning and vulnerability remediation, and streamlined compliance and penetration testing, pays dividends in preventative savings.
"Not surprisingly, at a time when IT budgets are coming under closer scrutiny, chief information security officers are being called on to justify their software security investments from a cost-benefit perspective," said Thornton. "We believe this study provides a good framework for the business and financial justification of an investment in software security. Organizations that take a program-level approach to security will not only reduce risk, but get a much greater strategic return on software security."
"We reviewed 30 software security providers and found that, while everyone talks about ROI, no one has really quantified the business value of SSA," said Amir Hartman, co-founder and managing director of Mainstay Partners. "Fortify's effort to put some real cost and time savings against an investment in SSA is unique in the industry, and should give security executives the language they need to communicate the value of SSA in a way that resonates with senior IT and business leaders."
Based on the C-level interviews conducted between April and August of this year, the study found that exponential increases in benefits are being achieved by companies that deploy SSA in more comprehensive and innovative ways. These advanced deployments include embedding software security controls and best practices throughout the application development lifecycle, extending SSA programs into critical customer-facing product areas, and leveraging SSA to seize unique value-generating opportunities. For these strategic companies, the benefits of application security solutions can add up to as much as $37M per year.
Mainstay's research also revealed that securing buy-in from senior IT leadership, including the CIO and head of application development, is another way to successfully deploy a high-value, strategic SSA solution. Without this commitment, there is little likelihood that organizations can realize maximum value from a strategic SSA deployment. To gain support from senior leadership, about 90 percent of the executives surveyed said that proving SSA's payback potential in the form of a business case or ROI assessment was critical.
Other key findings among customers who had optimized their adoption of SSA include:
o Vulnerabilities per application reduced from 1000's to 10's
o Average time to fix a vulnerability reduced from 1 to 2 weeks to 1 to 2 hours
o The percentage of repeat vulnerabilities reduced from 80% to 0%
o Costs for compliance and penetration tests reduced from ~$500k to $250k
o Time-to-market delays due to vulnerabilities reduced from 4+ incidents (30 days each) to none
To learn more about this ROI study or to receive a copy of the study, titled "Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions", please go to https://www.fortify.com/ssa-basics/why-ssa/roi_study_2010.html.
About Fortify Software, Inc.
Fortify®'s Software Security Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite -- Fortify 360 -- drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world-class teams of software security experts and partners. More information is available at www.fortify.com or visit our blog at blog.fortify.com.
Source: Fortify Software
CONTACT:
Danielle Eccleston of Merritt Group,
+1-703-390-1537,
Eccleston@Merrittgrp.com, for Fortify Software
Web Site: www.fortify.com/
http://www.mainstaypartners.net/
