This blog was previously published on blog.tcell.io.
This week has been a pretty interesting week in breaches. With the recent news of Magecart being the attacker of both Ticketmaster and British Airlines, you can't help but wonder why companies aren't learning from each other so they aren't faulted for the same vulnerabilities. The answer in most cases is that they don’t have the resources available to stay ahead of these attacks. Security has traditionally been seen as a cost center, but with the mega-breaches of today, it raises the question—can executives demonstrate their AppSec return on investment (ROI) to get the resources they need when they need them, or are our favorite brands willing to risk our information because it’s too hard to prove the value of security?
AppSec is getting harder
It’s not a secret. Security is really tough. Every company is turning into a software company, and applications are just vulnerable by nature. The attack surface of the application is hard to define, especially with the way and speed applications are being built—microservices and containers, APIs, cloud services, etc. It’s the age-old saying, “You can’t protect what you can’t see,” or as tech evangelist Tim Mackey said, “You can’t patch what you don’t know is running.” As application security becomes more necessary, companies need to be able to change the perception of security-as-an-expense to that of adding business value. One way of doing that, is proving your application security program has a positive ROI. To do that, you have to understand your costs and what you stand to lose if you were to get breached.
Mo money, mo problems
Aside from the scale of available targets to hack, the actual cost of a breach is no longer an abstract concept. We have real use cases to benchmark ourselves against:
- Equifax, estimated $600 million
- Yahoo, estimated $350 million
- Heartland, estimated $145 million
- Maersk, estimated $10 billion
- Uber, estimated $20 billion (but that also takes into account the breach, the EU regulations, the HR scandal, and the competitive landscape)
Of course, all of these were before GDPR stepped in with its fines of $20 million or 4% of global turnover (whichever is higher). The most recent example of what GDPR’s impact will be to companies moving forward is at the cost of British Airlines. They are looking at a potential fine of $566 million from the Information Commissioner’s Office alone. Point is, it’s getting really expensive to get popped.
When we factor in the cost of a breach, we have to take into consideration the fines, the reimbursement to customers, PR, infrastructure and applications to repair, stock sell off, and the loss of business from consumers who no longer trust the brand. Effective application security establishes trust with the consumer over time. The stronger the security program, the stronger that brand trust is established. In fact, according to Frost and Sullivan’s Global State of Online Digital Trust,” consumers spend more with brands they trust by 53%. That trust is determined by how well the company can protect their data. Bottom line is, if you want customers to buy from you, you have to have effective security in place.
Lack of accountability has a negative ROI effect
Besides a few lawsuits and charges of insider trading, the FTC and CFPD hasn’t done much in the way of sanctions since Equifax. Equifax spent 1.4% of its net worth on a data security infrastructure ($200 million) as of July 2018. Cool, Equifax is finally getting their security wishlist fulfilled after the fact, but did that change the way the rest of us look at security?
Well, according to Fortune magazine, “as many as 10,801 organizations—including 57% of the Fortune Global 100—have downloaded known-to-be-vulnerable versions of Apache Struts.”
Hmmm, maybe not.
What about NotPetya, the devastating attack that basically took down an entire global economy last June? According to a recent piece in Wired, back in 2016 the shipping giant, Maersk, had a security makeover green-lit and budgeted, but they were never incentivized to carry it out and its implementation was never a key performance indicator. So, it never happened. This is not entirely unlike the situation at Equifax, either.
We’re a year and some change out from the Equifax breach and countless others. Has that had an impact on our spending in security?
“World-Wide Security Spending Will Reach $96 Billion in 2018, Up 8 Percent from 2017” according to Gartner. That should be a good indicator, but what’s driving these investments?
The more breaches we have, the more we spend updating our security infrastructure. It’s no wonder why so many executives see security as negative ROI when they’re spending the money after they’ve been breached.
Knowing your Appsec ROI
Despite the fact that when a data breach is reported 48% of consumers stop using that service due to lack of trust, the majority of companies are still taking a reactive, wait-and-see approach instead of being proactive about their security posture.
In order to move security away from being seen as an expense to one that adds value, we need to be able to recognize a few facts about application security:
- KPIs at the executive level will establish a more effective security program.
- Appsec should to be considered as apart of the brand value strategy.
- Knowing the ROIfor your appsec tools is imperative to getting proper resources.
Across the board, security is getting more challenging and more costly. With legislation coming down the pipe and hackers finding new attack surfaces, executives need to be able to establish security as a competitive value instead of eating the costs after the fact. To help with this, we put together this AppSec ROI calculator as an easy way to understand your ROI as it pertains to your organization. We hope you enjoy.