Many security departments struggle tirelessly to obtain adequate budget for security, especially application security. It’s also no secret that security spending priorities are often grossly misaligned with respect to how businesses invest in IT. This is something I’ve discussed on my blog many times in the past.
The sheer lack of resources is a key reason why Web applications have been wide open to exploitation for as long as they’ve existed, and why companies are constantly getting hacked. While many in the industry understand the problem, they struggle justifying the level of funding necessary to protect the software their organizations build or license.
In December 2012, the SANS Institute conducted a survey of 700 organizations on app security programs and practices. That survey revealed that the primary barriers to implementing secure app management programs were “lack of management funding/buy-in,” followed by lack of resources and skills. Those two are pretty closely aligned, don’t you think?
A 2013 Microsoft survey obtained similar results. In it, more than 2,200 IT professionals and 490 developers worldwide were asked about secure development life cycle processes. The top barriers they cited were lack of management approval, lack of training and support, and cost. It’s time we start developing tools and strategies to begin solving this problem.
In a recent CSO article, SANS’ John Pescatore made some excellent points about how security people need to start approaching their relationships with management. Instead of sounding the alarm, they need to focus more on providing solutions. Let’s say that again: bring management BUSINESS SOLUTIONS and not just the problems. John correctly states that a CEO thinks in terms of opportunity costs, so security people need to use a similar mindset when strategizing a budget conversation with a CEO. Doing so does wonders.
Obviously, that’s not nearly enough of an answer to get a productive conversation started. We security people need more examples, business models, cost models, ROI models, real-world examples, and so on. This will be the topic of a webcast I’m co-presenting with John Pescatore, hosted by SANS. If you’d like come and hear us go over the the material, we’d love to have you there! on September 19 1pm EDT (10am PDT). Or, skip the webcast, and just read this whitepaper on the topic.