This week a group called the Application Security Industry Consortium will debut, with the goal of offering ways to measure security ROI and apply metrics to buying security products.Chief information security officers can have a difficult time fighting for budget dollars, because detailing the business ROI of buying a security product is far different from buying a Web portal.This week a group called the Application Security Industry Consortium (AppSIC ) will debut, with the goal of changing that situation by offering ways to measure security ROI and apply metrics to buying security products.Security Innovation heads up AppSIC, which was founded by 14 vendors, analysts and companies that buy, sell and use products. The consortium includes rivals such as Microsoft, Red Hat, Oracle and SAP.Herbert Thompson, the consortium's chair and director of security technology at Security Innovation, says AppSIC members will meet monthly to exchange ideas and vet papers to be issued under the AppSIC imprimatur."For instance, we'll publish the top 10 questions I'd need to ask my vendor on software security before I buy, and the kinds of answers you should expect," Thompson says. "And we're going to help enterprises factor in security in their budgets, as well as help IT development groups increase software security."Many say the need to get a better grip on what security ROI means is clearly there."As a CISO, you have to give up being a geek and become a business manager," says Rolf Moulton, interim president and CEO of the 40,000-member organization International Information Systems Security Certification Consortium (ISC2 ).ISC2 last week released a survey of more than 4,000 security professionals that indicates the CISO is increasingly expected to interact with upper management. Management wants security expressed, not in technical terms but as risk management, Moulton says.It's easier to express the security ROI of security services, because a managed service can be defended as an economical alternative to buying software, says Andrew Krcik, vice president of marketing at PGP."The problem with security is, you are spending money to try and prevent bad from happening," says Doug Jacobson, director of Iowa State University's Information Assurance Center. "It often doesn't add to the bottom line on the balance sheet, unlike other IT acquisitions where you add more computing power, more network bandwidth, more storage, which are easier to justify."Thompson says AppSIC is open to all comers and there's no membership fee to join.