Thursday, September 03, 2009

Outsourcing and Top-Line Security Budget Justification

Very often security budgets are justified through risk management, closely related to loss avoidance or boosting the bottom-line (income after expenses). A security manager might say to the CIO, "If we spend $X on Y, we’ll reduce risk of loss of $A by B%, resulting in an estimated $C financial upside for our organization."

There are indeed a number of things that could negatively impact the bottom-line should an incident occur. Fraud, fines, lawsuits, incident response costs, and downtime are the most common. Heartland for example, the organization at the center of the largest card data breach in U.S. history, said the event has cost the company $32 million so far in 2009.

For the last several years, data compromise has been a key driver for many companies to take Web application security seriously. More hacks translates into an increased security budget. "We must spend $X on Y so that Z never happens again, which would save us an estimated $C in incident related loss." I guess we can thank the mass SQL injection worms for demonstrating why being proactive is important if nothing else.

Recently though, I’m witnessing a shift, perhaps the start of a trend. A shift in which security spending is justified because it directly affects the top-line (income before expenses). "If we spend $X on Y, we’ll make customers happy, which has an estimated financial upside of $C for our organization." Let’s back up and examine this further.

A big part of my job is speaking with WhiteHat Sentinel customers, many of whom are in the business of providing Software-as-a-Service (SaaS) solutions for IT outsourcing -- a fast-growing market as organizations look to cut costs. I’m hearing more stories of their prospective enterprise customers, concerned for the safety of their data, putting these vendors under the security microscope. Enterprises understand it is their butt on the line should anything go wrong, even if the vendor is to blame.

To manage the risks of outsourcing, enterprises are requiring the SaaS vendor to pass a Web application assessment before they sign up. If the vendor already has a reputable third-party firm providing such assessments, such as a WhiteHat Security, then more often than not the reports will satisfy the prospective client, provided the findings are clean. If not, then the enterprise will engage an internal team or third-party (again like WhiteHat) at their expense, which is when things get really interesting.

If serious issues are identified, which is fairly common, the best-case scenario is the sales cycle slows down until the vulnerabilities are fixed. This could easily take weeks of time if not more. More than that it could also initiate disruptive fire drills in which developers are pulled from projects creating new features and instead instructed to resolve vulnerabilities NOW for the sake of winning near-term business. The consequences are real and potentially devastating to a business. On one hand, the account could be lost entirely because a loss of the customer’s confidence. And worse still, if word gets around that your security is subpar, then the ramifications are clear. When sales are lost like this, especially in the current economy, security budgets based on increasing the top-line become really attractive.

For this reason it seems the move to “the cloud” is incentivizing organizations to make a substantive investment in Web application security or risk losing business from savvy customers. Even more amazing is that after vendors put a program in place, the investment can be used as a competitive advantage. They’ll hype the fact to customers by volunteering their security reports and program details upfront. As enterprises shop SaaS payment processors, e-commerce hosting, financial applications, etc. they will expect to receive the same from others companies, who may not be in a position to deliver.

If you are a security manager, take the time to ask the sales department how often “security” is a part of the buying criteria for customer. If it is, that could be an excellent opportunity to align yourself with the business.

Anyone else seeing this trend?


Planet Heidi said...

Absolutely. We're a Web financial SaaS provider and we're very much under the audit microscope from prospective and current customers. Good security means faster sales.... I've got testimonials from the sales team to prove it.

Anonymous said...

What she said. Suspect this is strongest in fin svcs and medical/pharma.

Jeremiah Grossman said...

@Heidi, what types of security questions are customers asking? What assurances are they expecting? Whatever details you could provide would be quite helpful.

David Rook said...

Hi Jeremiah

We are seeing security increasingly used as a unique selling point for us as a company.

We are in the process of signing a major client who's reason for outsourcing is security/risk related. They came to our offices and spent more time questioning/chatting with the security team than any other area.

We find the fact that we have security (and development staff) involved in security projects such as OWASP and presenting at places like DEFCON a definite USP in our market space (payments BTW).

We are seeing more and more people actually not accepting PCI compliance as enough assurance anymore. They want to see how we address the common flaws in our market space (secure app development being right up there) in a way which shows expert level security knowledge and processes above and beyond a compliance standard.

In short, we invested heavily in security (even to the point that it is now a company value) because it not only keeps us in business but it clearly can win us business as well.


Jeremiah Grossman said...

@David that is great! So in many ways are you seeing security pay for itself with respect to increase in sales?

David Rook said...

Hi Jeremiah,

Not quite yet but with the effort we are putting into it I imagine we will see security effectively pay for itself through increased sales. Another one or two big clients who move to us for our security expertise and processes and that would definitely be true.

I don't have any hard facts for that yet but I will keep an eye on it.


Jeremiah Grossman said...

Talk about a security success story. Wow, well done! Feel free to name drop the company if you feel so inclined.

Planet Heidi said...

Customers are asking first for certifications and associated paperwork (aka SAS-70, Cybertrust cert), second they ask for vuln test results within 3 months currency, third they usually hit us with a questionnaire that is a variant of PCI. That's about all the detail I can go into.

David Rook said...

I won't mention our name on here, but if you have more questions feel free to contact me directly.

Or, you could send them over to Ireland with Tom Brennan - I'm speaking at the same conference as him on Thursday here in Dublin!


Jeremiah Grossman said...

@Heidi, that is great, thank you for sharing. Very interesting that they know enough to ask for a current pen-test report.