Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Irfaan Santoe, a seasoned security leader who has worn many hats—from CISO to Global Head of Application Security, and now Founder and CTO of RiskApp.
Beyond his leadership roles, Irfaan is a dedicated community
builder. He leads the OWASP Netherlands Chapter, created the OWASP Security Champions Guide, and co-hosts the re:invent security podcast, a live in-person show where industry leaders share how they’re reshaping security.
In this episode, we tackle a big and often uncomfortable question: Can we actually quantify the ROI of AppSec?
Security leaders are constantly pushed to justify their budgets, but when it comes to application security, how do we measure success? Are we tracking the right metrics, or just playing a numbers game? We’ll also discuss:
- The hidden costs of delaying AppSec and why technical debt is a silent killer
- How security leaders can sell AppSec to executives and actually secure budget
- The challenge of measuring AppSec effectiveness—what metrics actually matter?
If you’ve ever struggled to prove the value of security
initiatives—or just want a fresh perspective on AppSec priorities—this episode is for you.
Connect with Irfaan: https://www.linkedin.com/in/irfaansantoe
Connect with Alexandra: https://fr.linkedin.com/in/alexandra-charikova
Mentioned in the video:
Escape: https://escape.tech
Re-invent security: https://re-inventsecurity.com/
RiskApp: https://www.riskapp.com/
OWASP Security Champions Guide: https://owasp.org/www-project-security-champions-guidebook/
The CISO’s Guide for Implementing DevSecOps in the Enterprise: DevSecOps Visions from 10 European Information Security Leaders:
https://www.amazon.co.uk/CISOs-Guide-Implementing-DevSecOps-Enterprise/dp/9464807571
How to Measure Anything in Cybersecurity Risk: https://www.amazon.com/How-Measure-Anything-Cybersecurity-Risk/dp/1119085292