Thursday, September 03, 2009

Outsourcing and Top-Line Security Budget Justification

Very often security budgets are justified through risk management, closely related to loss avoidance or boosting the bottom-line (income after expenses). A security manager might say to the CIO, "If we spend $X on Y, we’ll reduce risk of loss of $A by B%, resulting in an estimated $C financial upside for our organization."

There are indeed a number of things that could negatively impact the bottom-line should an incident occur. Fraud, fines, lawsuits, incident response costs, and downtime are the most common. Heartland for example, the organization at the center of the largest card data breach in U.S. history, said the event has cost the company $32 million so far in 2009.

For the last several years, data compromise has been a key driver for many companies to take Web application security seriously. More hacks translates into an increased security budget. "We must spend $X on Y so that Z never happens again, which would save us an estimated $C in incident related loss." I guess we can thank the mass SQL injection worms for demonstrating why being proactive is important if nothing else.

Recently though, I’m witnessing a shift, perhaps the start of a trend. A shift in which security spending is justified because it directly affects the top-line (income before expenses). "If we spend $X on Y, we’ll make customers happy, which has an estimated financial upside of $C for our organization." Let’s back up and examine this further.

A big part of my job is speaking with WhiteHat Sentinel customers, many of whom are in the business of providing Software-as-a-Service (SaaS) solutions for IT outsourcing -- a fast-growing market as organizations look to cut costs. I’m hearing more stories of their prospective enterprise customers, concerned for the safety of their data, putting these vendors under the security microscope. Enterprises understand it is their butt on the line should anything go wrong, even if the vendor is to blame.

To manage the risks of outsourcing, enterprises are requiring the SaaS vendor to pass a Web application assessment before they sign up. If the vendor already has a reputable third-party firm providing such assessments, such as a WhiteHat Security, then more often than not the reports will satisfy the prospective client, provided the findings are clean. If not, then the enterprise will engage an internal team or third-party (again like WhiteHat) at their expense, which is when things get really interesting.

If serious issues are identified, which is fairly common, the best-case scenario is the sales cycle slows down until the vulnerabilities are fixed. This could easily take weeks of time if not more. More than that it could also initiate disruptive fire drills in which developers are pulled from projects creating new features and instead instructed to resolve vulnerabilities NOW for the sake of winning near-term business. The consequences are real and potentially devastating to a business. On one hand, the account could be lost entirely because a loss of the customer’s confidence. And worse still, if word gets around that your security is subpar, then the ramifications are clear. When sales are lost like this, especially in the current economy, security budgets based on increasing the top-line become really attractive.

For this reason it seems the move to “the cloud” is incentivizing organizations to make a substantive investment in Web application security or risk losing business from savvy customers. Even more amazing is that after vendors put a program in place, the investment can be used as a competitive advantage. They’ll hype the fact to customers by volunteering their security reports and program details upfront. As enterprises shop SaaS payment processors, e-commerce hosting, financial applications, etc. they will expect to receive the same from others companies, who may not be in a position to deliver.

If you are a security manager, take the time to ask the sales department how often “security” is a part of the buying criteria for customer. If it is, that could be an excellent opportunity to align yourself with the business.

Anyone else seeing this trend?