Taking Advantage of Security Spending Catalysts

This is the second part of my Black Hat interview with Barmak Meftah, Sr. VP, Products & Services at Fortify.  In this installment, Mr. Meftah discusses ways to evangelize security.

How do we market security?  The cyber-bullies among us might still use Fear, Uncertainty, and Doubt.  While this may produce short term acquiescence, that approach ultimately alienates us from the decision makers.  Others may rely on methods of calculating ROI.  While I applaud this approach for its attempt to plug into the business mindset, the realities of security make accurate ROI problematic at best. Still others borrow a play book from the insurance industry and try to highlight the “cost avoidance” benefits of security controls.  It’s a good idea on the surface, but hard to do with the same level of actuarial precision found in mature insurable products like cars, homes, and people.

So what are we really selling when it comes to security?  The first part of this series highlighted that risk is a function of how business is conducted.  Similarly, we must understand what the business feels is important in order to know what the business will buy.  In other words, we must understand our customer – what makes them happy and what makes them mad.  We must be able to form a relationship with our business customer that satisfies their needs.  If a security invetments were not about relatioships, there would be fewer vendors in the market.  So how do we apply this toward marketing a security program?

“Security professionals must identify what is valuable to the business and then associate the need for security with those assets,” said Meftah.  He pointed out that security is a corporate value in the financial and defense sectors.  Security isn’t merely a policy in these sectors.  It is a cultural value that connects with the corporate mission.  The automotive and oil sectors, he argued, don’t have the same commitment to security.  I would argue that security has not been associated with the values of these companies.

Mr. Meftah cited three drivers that lead business stakeholders to take information security seriously.  These drivers are important because they influence the way your product, “security”, is perceived.

Compliance Requirements

According to Mr. Meftah, compliance requirements such as PCI DSS and FISMA are motivating companies to take a closer look at their application security.  Given the nature of the data flows that these requirements address, their existence is necessary.  There is a tendency, however, to assume that compliance means security.  Meftah stresses that “these regulations provide security baselines fashioned for a business sector.”  The recent Heartland breach demonstrates that an organization can satisfy the letter of compliance requirements while ignoring their spirit.

Assessments“One of the things that pen testing does really well,” said Meftah, “is identifying if there is a problem in the application.”  By simulating what a hacker might do, the penetration testing team can qualify the nature of the business risk.  It’s hard to argue against a demonstrated technology or process exploit.  However, if the findings are not connected to corporate priorities, they may be interpreted as having negligible impact.

Incidents

If compliance requirements or assessments are not employed successfully to persuade appropriate control investments, the risk of an incident is enhanced.  According to Meftah, an incident is often the catalyst for security investments.  “Unfortunately, this has been the most effective way show show businesses that they have to pay attention to their applications,” he said.  Indeed, a March 2009 OWASP Security Spending Benchmark  Report stated that “companies that have suffered security incidents are more likely to invest in security.”   Depending on the nature of the incident, the remediation costs often exceeds the costs of addressing the underlying vulnerabilities earlier in the process.

The final installment of this interview will focus on the need for a secure software development curriculum in all colleges and universities.