top of page

How to Build a Compelling Business Case for a Software Security Program


May 5, 2025





How to Build a Compelling Business Case for a Software Security Program

Creating a compelling business case to invest in software resilience is more about

economics than risk probability. The primary message for stakeholders is that eliminating

and reducing defects in the software as it is assembled and modified increases productivity

for software developers.


Enterprises spend heavily on software development and maintenance each year, and

lowering that cost is highly attractive to the C-suite. Investing in better tools to eliminate

and fix defects earlier results in increased cost avoidance and productivity. The up-front

investment is made over three years, while the annual benefits carry forward each year.

Any CFO, CEO or CIO will be receptive to lowering the cost of software ownership, so

the company has the capital to invest in new capabilities that potentially drive revenue.


Economic rationales will always win over risk probability projects with business stakeholders

because there is no way to apply attribution for software defects. Website and mobile

software defects are rarely attributed to the enterprise, and the criminal exploitation of

the vulnerabilities often lags the cyber intrusion by many months.


The right approach is to hold stakeholders accountable for producing and maintaining

resilient software by measuring the defect density of the software’s code during

development. Defect density is the quantity of code assembled divided by the number

of risky defects identified.


The business case for a software security program is that productivity can be improved

by fixing security defects during the process of creating and maintaining software. This

will have a significant impact on the business by producing more resilient software with

a lower cost of ownership and fewer customer cyber incidents.









 
 
bottom of page