(Things to consider sharing with the client) The appsec hire ROI includes hard and soft values. The hard values are difficult to speak to without understanding the business objectives and which cybersecurity metrics are in place today or planning in the future. Generally speaking, the ROI soft values accelerate/enable the ROI complex values. We can discuss the soft values (improved efficiency, cost avoidance, cost savings, brand, and cyber team retention). The hard values are measurable outcomes aligned to the business/revenue, and highlighting the executive's goals in the ROI is the best path.
Shifting Left - Ability to move or continue with a proactive application security strategy. Every company is seeking increased development velocity. Increased development velocity introduces an acceleration of vulnerabilities. Application security planning, testing, and remediation must match or exceed the development velocity. Appsec roles are critical in shifting left - creating/enhancing practices and processes, appsec planning and integration, and enabling automation (SAST, DAST, IAST, RASP). Have a look at the Snyk article on shifting left for additional thoughts. https://snyk.io/learn/shift-left-security/
Reducing Application Security Technical Debt (Appsec tech debt, security tech dept) - In addition to decreasing the bug/vulnerability/breach cost. Appsec debt has financial, innovation, and retention (burnout) impacts that are strong ROI factors. Here are two suitable references.
https://www.invicti.com/blog/web-security/appsec-debt-hurts-make-it-stop/ - Appsec hires impact all aspects in the section titled: "4 ways that AppSec debt hurts your organization."
https://www.veracode.com/blog/2011/03/a-financial-model-for-application-security-debt - Good information on appsec cost factors.
Click here for Application Security Engineer description.