How should your company think about investing in security?
Like many things in life, with the security of your company’s application, you get what you pay for. You can spend too little, too much or just right.
To find the right balance, consider Goldilocks: she goes for a walk in the woods and comes upon a house. In the house, she finds three bowls of porridge. The first is too hot, the second is too cold, but the third is just right.
Download Ted's free ebook, "How to secure your software faster and better."
Goldilocks is the master of figuring out “just right.” To determine the appropriate security budget for your company, you need to be, too.
How much security effort is too much?
First, let’s explore the idea of overinvesting in security. How much is too much?
At a certain point with security, you start to see diminishing returns: issues still appear but more rarely. Security is never really “done,” so it’s tricky knowing when to move on. There’s always more to do, more to find, more to fix. Knowing when to wrap up depends on your threat model, risk appetite and your unique circumstances.
11 courses, 8+ hours of training
However, your company probably isn't in this category. Almost nobody is. You certainly can get there, but you’re likely not there now. The takeaway is this: even though you’re probably not in this category yet, it’s important to know that security is not an endless investment of resources. There is a point at which you can accept the remaining risk and move forward.
The problem with too little effort
On the other hand, companies often spend too little effort on security. Almost everyone falls into this category.
Security is often viewed as a “tax” on the business. Companies want to minimize any kind of tax, and so they try to cut security spending inappropriately. However, most people don’t realize that when you cut costs, what you actually cut is effort: how much time you invest, how manual it is, how much attack surface you cover and how thoroughly you develop custom exploits. That’s a dangerous elixir because your attackers already invest more effort than you can. Cutting effort just cedes more advantage.
As a leader, you’re under tremendous pressure to make the best use of the limited money and person-power you have, and those resources need to cover a wide range of priorities. It’s sometimes hard to justify the investment in security, and even when you can, you aren’t always sure where the best place to invest it might be.
Here’s the harsh reality, though: the less you invest, the less it returns. When you cut costs too far, you prevent outcomes that help you get better. Achieving your security mission is going to cost you time, effort and money. There is no way around that. When those investments get cut to the bone, what’s really reduced is your ability to succeed.
The level of effort that’s “just right”
The trick to successful application security lies in finding your sweet spot, that magical balance where you uncover useful issues without investing too much or too little. There are many variables that influence this, including:
- The value of your assets
- The skills of your adversaries
- The scope of your attack surfaces
- The amount of risk you’re willing to accept
As a ballpark estimate, to do application security testing right is probably going to cost $30,000 to $150,000 or more per year, per application. Some cost far more than that.
That number might shock you; as discussed, most companies are in the category of spending too little. Security isn’t cheap because it’s not easy, it requires a unique skill set, and it takes effort.
However, doing security right is worth the price.
The incremental cost of doing security right is a tiny, microscopic spec compared to the gigantic cost of a security incident. Most importantly, since most companies struggle to do security right, those who do obtain an enormous advantage over their competitors. You want to be one of those companies. To get there, you need to invest appropriately.
There are no security shortcuts
Ultimately, you can’t achieve security excellence by going cheap. You can’t find the unknowns for cheap. You can’t discover custom exploits for cheap. You get what you pay for, and there’s no way around that. However, you also don’t need to spend endlessly either; even though there’s always more to fix, there is a point at which you can accept the remaining risk and move on.
The best approach is to channel your inner Goldilocks and find the budget that’s “just right” for your company. Figure out how rigorous and comprehensive an assessment your application requires, and don’t fall short of those standards.
11 courses, 8+ hours of training
When you focus on reducing cost, you let the wrong factors drive your security mission; you wind up trying to slash investment. That simply reduces effort and thus undermines your chances of security success. Instead, use the right factors to drive your security mission: what you want to protect, why and from whom. Trust that there is a happy balance that sets you up for success on your security mission, while meeting the financial constraints that exist in every business. Go find that balance.
The best place to start is to establish your threat model, and use that as the basis to determine risk. Once you understand risk, find the appropriate balance of investment that helps you manage it to a level you’re comfortable with.