Security Budget.jpgJustifying security investments to protect internal operations is a difficult proposition in the corporate world.  Internal security typically does not generate revenue.  It simply protects the systems which contribute to the revenue stream.  As such, it is an expense.  Nobody wants to lose IP and with it a competitive advantage, have the customer facing website be unavailable due to denial-of-service attacks, or have operations come to a grinding halt because malware has fouled up critical compute systems.  But most executives also don’t want to sacrifice investments on innovation or revenue generating programs for security which may not be absolutely necessary.  A balance must be struck between security spending to protect the organization and competing projects which generate revenue.  In short, leadership typically does not want to spend a single dollar more on security than required.  Even when everyone agrees security is needed, debates around ‘how much’ security is optimal, tends to be a vigorous debate. 


So what are justifiable reasons to spend precious resources on internal security?  Here are the 5 Reasons Companies Invest in Internal Security: 

  1. Reduce costs.  Security incurs a cost.  Most organizations already commit to some level of security.  Any investment which will improve efficiency to reduce current security expenditures, while maintaining an acceptable level of risk, makes financial sense.   Those resources freed up can be reallocated to revenue generating purposes.
  2. Risk reduction.  Managing known risks is an ongoing exercise.  Risk appetites are subject to change as are the pressing threats which bear down on an organization.  Investing in new security to maintain the optimal level of acceptable risk must sometimes occur to offset changes in the risk landscape or concerns of executive leadership.  It comes down to the perception of risk-of-loss.  Hindsight, such as after an incident, provides the clearest vision and tends to heavily influence decisions to increase security spending.  Foresight is a tougher sell, but market and peer indicators can lead to proactive allocation to better security solutions and lower amounts of future loss
  3. Intersect new risks.  Threats are constantly evolving and opening new vectors for attack.  New risks do emerge.  In many cases legacy security is unable to cover these new avenues of loss.  Innovative or updated security may be necessary to intersect new or anticipated risks to maintain the desired defensive posture
  4. Regulatory compliance.  New regulations are emerging across many different sectors and industries.  For most organizations, they represent the absolute minimum.  To satisfy compliance requirements, instituting specific security controls may require additional investment and changes to business processes
  5. Productivity or user-experience gain.  Improving users experience or productivity has an economic benefit.  The reduction of friction associated with security overhead can increase user satisfaction and productivity.  In corporate environments, systems which improve output are easy to justify.  Reducing login time, eliminating distracting spam, speeding up password reset processes, or shrinking authentication hurdles are great examples where productivity rises while making users lives a little less frustrating.  

 

Those five areas of spending are rational and important, but something is missing.  Organizations should be looking beyond their internal controls protecting their operations and also invest in ensuring their external products and services are also trustworthy, hardened, and secure.  Such offerings are the source of revenue and goodwill and as such deserve a secure design, proper testing, trusted manufacture, and benefits of best-known-practices to enable a continually strong defense against rising threats.  Customers are beginning to recognize the value and potential impacts for poorly secured products. 


Forward thinking companies are already moving into this space.  The investment can be high but the payoff is more secure products, a stronger position for the corporate reputation, likely a lower Total-Cost-of-Ownership for customers who would be less burdened by fixing problems, and maybe most importantly avoidance of a very ugly or business crippling incident. 


As the industry matures, metrics become clearer, regulations are enacted, and accepted business practices are defined, the path will emerge to justify and mandate product and service security controls.  Until that time, it is likely only a few will invest in such processes as Secure Design Life Cycle (SDLC), Design for Security (DFS), or scrutinize how their products can remain secure over their functional lifetime.  Eventually, controls must be embedded into the product pipeline as it is an investment in quality which builds Trust.  And trust is the currency of security.