Cyber Crime is a serious threat and is becoming more and more costly and dangerous for companies is widely known by now. Most companies know cybersecurity is an issue; however, cybercrime’s annual revenue still exceeds cybersecurity investments.
So why are there such limited IT budgets even though major hacking attacks happen regularly? Can investments into IT security pay off in the long run? Maybe even in the short run? It’s time for us to look at the return companies get from investing insufficient web application security!
Table of contents
- Now to the critical question: Why pay a lot of money for something that does not directly generate revenue and can be done by your employees?
- Cost savings seem to be the most obvious out of the three. But what are the major sources of costs that can occur without a functioning information security solution?
- How about other parts of the ROI? Can IT security improve productivity?
- So far, information security can benefit 2 out of 3 elements of an ROI. But how could a solution make to cut costs actually create additional revenue?
Now to the critical question: Why pay a lot of money for something that does not directly generate revenue and can be done by your employees?
Simply because it is most likely not your core competence, and your developers’ time is much better to spend on creating revenue-generating features. Let us look at how you can generate a positive ROI by investing in an automated vulnerability scanning solution.
We’ll start with the investments since they are the more obvious and intuitive part.
Firstly, you will need to search for and invest in services and products supporting your employees and protecting your data. Then, you will compare different solutions to find the one that’s most efficient for your organization. For example, a company with 250+ employees and a large development team must decide whether a standardized tool is still the right choice or whether it has to invest in an on-premise solution.
Computing the expected costs will be simple once you figured out the most efficient solution for your business. When it comes to the service’s cost, important factors are the number of developers, the number of projects, and the yearly penetration tests you intend to do. Depending on how many penetration tests your company usually does, you will find out rather quickly that automating your web application security will be much less costly than performing many manual pentests.
In addition to a security solution for your web application, you will also need to invest in your human capital. The latest hacking attacks have shown that IT security is still mostly a human problem, so you will need to train your staff on secure coding practices or simply on daily measures they can take to protect your business (e.g., by using Two-Factor-Authentication). On the other hand, a well-designed security solution might help you secure coding practices since your developers’ code will eventually get better from one deployment to another because of the instant feedback they are getting on existing problems.
Example calculation (company with 20 different web applications and APIs and 50 software developers):
Average monthly cost of your favourite web application security solution: 1,180€
Manual pentesting cost per year: 10,000 €
Estimated cost of a security workshop for 50 people: 30,000€
12 months x 1,180€ + 10,000€ + 2 security workshops per year x 30,000€ = 84,160€
Monthly Cost for IT Security = 7,013€
Ok, so we spend some money now… but how do we get a return for that?
Simply put, ROI can be generated through cost savings, increased productivity, or revenue growth.
Cost savings seem to be the most obvious out of the three. But what are the major sources of costs that can occur without a functioning information security solution?
Let’s say your webshop has been hacked, and you are now experiencing some downtime during which no customer can reach your website to order something or inform themselves. Depending on your average revenue, you can compute how much money you will instantly lose through the stop in operations.
Another cost factor might be the reputation loss your shop will experience if customers know that it is not as reliable as a competitor’s webshop. Again, this would lead to revenue cuts that can be seen as costs in the long run.
Nowadays, any web application deals with sensitive customer data like addresses, phone numbers, or credit card information. If hackers can extract that data, you are not only experiencing the revenue cuts but might also have to deal with regulative costs (GDPR is nothing to mess with) that could have a massive impact on your profitability.
Taking the probability of such events and the costs that would arise, you can compute the expected loss you experience without a functioning information security system.
According to the 2017 Cost of a data breach report, a data breach’s average total cost is $3.62 million (or €3.19 million). Without any protection, the probability of such a data breach within the next two years is 27.7%.
Expected Loss = 3,190,000€ x 27.7% = 883,630€(over the next two years)
Expected Loss per month = 36,818
Of course, that sum needs to be adjusted for every company depending on its revenue size, number of users, and current information security level.
We’ve seen how web application security can save any company a significant amount of money in the medium to long term.
How about other parts of the ROI? Can IT security improve productivity?
Depending on the solution you choose and how well the integration works, IT security can enhance your development team’s productivity.
The key to that is automation. If your web application is being scanned every week or before every deployment, software developers can fix existing vulnerabilities in an early stage, giving them more time to focus on actually creating new features. Security will no longer be an issue to spend time on, but just a checkbox that can be ticked with every deployment.
Additionally , as mentioned before , your developers’ productivity will rise because the constant advice that a web application security solution offers will help them better secure coding practices.
To sum it up: by automating your web application security, your company can save up to 8h per developer per month, which will have a major impact on your productivity and, therefore, the affiliated costs.
50 Developers x 8h x 50 €/hour = 20,000€ per month
So far, information security can benefit 2 out of 3 elements of an ROI. But how could a solution make to cut costs actually create additional revenue?
Information security is no longer a topic that only software developers and CSOs think about. Many customers (B2B and B2C) are worried about their data and want it to be safe in your application. By making the security of customer and business data, one of your strengths can lead to a competitive advantage that you can leverage when it comes to customer acquisition.
The latest data breach extracted passwords of approx. 700 million people made ordinary users more and more cautious about what services they sign up to and where they purchase online. By securing your customer data, you can make sure they keep coming to your website first and generate stable revenue for your company.
To sum up it up:
Cost =7,013€ | Cost savings = 36,818€ | Productivity growth = 20,000€
Potential monthly profit = 49,805€
ROI = ca. 710%
As you can see, there is more than one factor of the ROI that is positively affected by web application security. Let’s summarize what we’ve learned:
- An efficient IT security solution helps your employees.
- Sufficient protection lowers the risk of high costs for an occurring data breach.
- Security automation can enhance your developers’ productivity and help them with secure coding practices.
- Companies can use their level of data protection to gain a competitive advantage and keep their customers coming.