Companies of all sizes face increased pressure to start or mature their application security programs. Determining how to do so can be confusing, especially with increasing internal demands for faster time to market. Many solutions claim to help organizations build more secure software. However, measuring that value provided by the solution compared to its economic and organizational costs can be difficult.
We know our customers have the same question about SD Elements. While it is clear SD Elements helps organizations adopt security requirements and scale secure coding initiatives, organizations want to quantify that investment.
- Does it provide economic benefits that surpass its costs?
- How long does it take to pay for itself in savings?
- What is the return on investment?
To provide objective answers, Security Compass commissioned Forrester Consulting to examine the economic benefits of deploying SD Elements. The result is a study conducted by Forrester Consulting on behalf of Security Compass, The Total Economic Impact™ Of Security Compass SD Elements (April 2022). This post discusses the study methodology and results.
Purpose of the Study
Calculating a return on investment (ROI) is a common requirement for capital investments. For example, when a manufacturing company wishes to improve operations, it may invest in new machinery or tooling. It will compare the costs of different solutions and the expected savings from reduced labor, improved quality, and lower maintenance costs.
Determining which tool or service to add to an application security program is more difficult. Performance metrics are different, and vendor claims can be difficult to quantify. For example, the quality of results from application security testing (AST) tools like static and dynamic analysis can differ by programming language and require different levels of security expertise to use effectively. Most organizations have limited budgets and security resources, which makes a thorough evaluation of multiple solutions impractical.
Forrester TEI Methodology
Data from vendors is useful, but most organizations value independent validation of costs and projected savings. Forrester’s Total Economic ImpactTM (TEI) methodology has been used for over 20 years to help technology consumers evaluate investment value. 
For the SD Elements TEI, Forrester conducted independent interviews with security or technology decision makers at four organizations using SD Elements. The organizations were all US-based with global markets including manufacturing, financial services, transportation and defense, and building controls. The organizations ranged from 6,200 to 62,000 employees. Revenue ranged from $1.5 billion to $31 billion.
Forrester aggregated the interviewees’ experiences and combined the results into a single composite organization with an application portfolio of 250 applications. Forrester then applied their financial model framework to the composite organization, including benefits, costs, flexibility, and risks, to arrive at estimates for the total economic impact.
Forrester’s model expresses economic impact in investment terms including payback period, net present value, and return on investment.
Consider an organization weighing whether to spend $100,000 to license new software. For the investment to make economic sense, it must provide benefits of an equal or greater amount over its life. Those benefits can include cost savings, higher revenue, and greater productivity. It is typical to look at the investment of three to five years and apply a “discount rate” (for example, a discount rate of 10 percent) for the time value of the invested money.
Forrester based their 3-year costs and benefits on interviews with SD Elements’ customers, as shown below.
Return on Investment: 332%
Return on Investment (ROI) is the sum of the net benefits divided by the sum of the expenses, expressed as a percentage. Again, organizations will compare the ROI against the ROI for competing investments.
Benefits Present Value - $2,863,734
The total benefit of this investment over three years is $3,454,650. Applying the discount rate to the cash flow provides the present value of those benefits.
Net Present Value: $2,201,155
Net Present Value (NPV) is the current value of future net cash flows for the given discount rate. In this case, the company is spending $776,600 to generate benefits of $3,454,650 over three years. Applying the discount rate to the total net cash flow of $2,863,734 provides the NPV. A NPV greater than zero is an indication of a good investment relative to the discount rate.
Payback Period: Less than six months
Payback period is the number of months required for cumulative savings to equal cumulative expenses.
Quantified Benefits of SD Elements
Forrester quantified the economic benefits of SD Elements across four use cases:
- Generating security requirements
- Maintaining, updating, and communicating secure coding standards and risk mitigation controls
- Avoiding vulnerabilities through better implementation of security requirements
- Time savings when achieving security certifications.
In total, Forrester calculated that SD Elements provided the composite organization with a Benefits Present Value of almost $3 million. After accounting for SD Elements licensing costs, its Net Present Value was $2.2 million. The top three financial benefits were increased productivity, reduced costs, and avoided remediation expenses.
Increased Productivity by 90 percent
The traditional method of developing security requirements is manual. Interviewees told Forrester that multiple meetings involving product, security, and development teams were required for each new product to understand the technology stack and what requirements were applicable. Prior to implementing SD Elements, an average of 80 hours were required to develop security requirements for a single project. The organizations told Forrester that using SD Elements reduced the time required from security personnel to generate security requirements by 90 percent (to eight hours in the composite organization). The 72 hours of savings allow security personnel to work on other priorities and tasks and resulted in a NPV of $1.7 million for this use case.
Reduced Costs Maintaining, Updating, and Communicating Standards
Each new industry standard or regulatory requirement can change an application’s security requirements and corresponding risk mitigation controls. Without SD Elements, according to the Forrester study, security architects would have to understand new and updated requirements, update spreadsheets and provide training for security champions. When new policies or recommendations came into scope, like GDPR, security architects needed to review the new policy, create a spreadsheet with the new requirements, and roll out new policies to each development team.
Interviewees told Forrester that using SD Elements’ content library of industry standards, regulatory requirements, and risk mitigation controls, and its integrations with ticketing systems reduced costs by an average of almost $350,000 annually, with a three-year use case NPV of $738,800.
Avoided Vulnerability Remediation
Security requirements help organizations anticipate issues that could result in security vulnerabilities and build risk mitigation tasks into their workflow. The organizations interviewed by Forrester reported that the deployment of SD Elements was pivotal in allowing organizations to avoid significant time remediating vulnerabilities. This includes time required to identify and prioritize vulnerabilities, determine remediation actions in line with security policies, and implement and test fixes.
The Forrester TEI study found that the composite organization avoided 10 hours of unnecessary remediation time per application per year by using SD Elements. This provided the composite organizations with a NPV of $396,300 over three years.
SD Elements helps organizations build more secure software faster. It saves time and money by automating the process of defining, assigning, and validating security requirements. By anticipating weaknesses in a technology stack and assigning risk mitigation controls directly to development, security, and operations through the workflow tools they already use, vulnerabilities are reduced and software can be released more quickly and predictably.
There are many software security tools available, and deciding in which to invest can be difficult. The Forrester Consulting TEI provides empirical evidence of SD Element’s economic benefits to organizations wanting to improve software security while shifting left in the DevSecOps lifecycle. You can read the complete Forrester study here. You can also watch a more detailed discussion about the economic impact of SD Elements between Trevor Young, Security Compass Chief Product Officer, and guest speaker Roger Nauth, Senior TEI Consultant at Forrester.
 NOTE: A Forrester TEI analysis does not constitute an endorsement by Forrester of any solution or organization.