Making the business case for additional spending on application security measures is not always justifiable without risk data from the analysis of the impact of emerging threats and the increased level of risks that needs to be mitigated. Threat analysis data allow informed risk management decisions. In the absence of such data, the management is left with subjective considerations about threats.
Subjective considerations about threats are most often decisions based upon Fear, Uncertainty and Doubt (FUD). Acting upon FUD to mitigate risks posed by emerging threats is late-coming and ineffective. Example actions based on FUD include, but are not limited to:
- Fear of data breaches
- Fear of failing audit and compliance
- Uncertainty regarding business threats
- Doubts about effectiveness of existing security measures in light of recent security incidents
The intent of this part of the guide is to help CISOs to create an additional business case for application security investment based upon objective threat analysis instead of subjective considerations. From a compliance with standards perspective, objective considerations are based upon a rationale for investing in applications security that includes complying with new security standards and regulations that impact applications. From a threat analysis perspective, objective considerations are based upon data regarding the business impact of emerging threat agents seeking to compromise applications for financial gain.
Specifically regarding making the case for mitigation of risks, it is necessary for CISOs to avoid assumptions and back the case with data such as reports and analysis of cyber-threats and security incidents, costs of data breaches to estimate liability and quantitative calculations of risk based upon estimates of probability and impacts. Based upon risk calculations and data breach cost estimates, it is possible for the CISO to articulate how much the organization should invest in application security and to determine in which specific measures to invest.
From a fear perspective it is true that CISOs can also exploit the momentum, being this either a negative or positive event, but this is part of a reactive risk management approach and low maturity in dealing with risks.
Often application security spending can be triggered by a negative event such as a security incident, since this shifts senior management’s perception of risk. However, CISOs should find that using a one to two year roadmap to drive security investment would be more effective as found in the 2013 OWASP CISO Survey.