What are executives doing about vulnerabilities?
Our friends at Sonatype published a very interesting blog by Mark Troester illustrating the apparent disconnect between executive desire for secure applications and the actual effort spent making them secure. I encourage you to read Mark’s piece, which highlights some interesting data from the (ISC)2 Global Workforce Study CXO Report. He points out that even though application vulnerabilities account for 72% of the top security threats, the effort spent on application security during development is dismal. The reason for this state of affairs is a complex topic. No one argues that we want/need more secure software. The question many are faced with, however, is what’s the easiest and least expensive option? Build security in OR fix vulnerabilities as they pop up and cause issues?
I’m not going to opine on the technical merits of one over the other, but rather speak to the marketing and brand equity costs associated with tabling security efforts until they’ve reared their proverbial ugly head. The line between marketing and IT has not just thinned over the past few years, but been altogether blurred. Marketers are now walking into an IT director’s office demanding the latest and greatest open course CRM or CMS. They want to integrate social media applications and location based services. Marketing, in the business world, is often driving the software implementation and development path, which puts pressure on the technical staff to evaluate a lot of new software applications. This creates some inevitable friction, as noted in a blog on Harvard Business Review this week.
Since I am a marketer, you’d think I’d be be firmly on the side of Team Marketing in this debate, but the truth is that the more I learn from developers and assurance testers, the more I want to encourage my business colleagues to slow down and give IT a little time to vet the software we marketers are clamoring to have. There is no real excuse to skip security and assurance testing before software is either 1) deployed to the customer (if you’re an application developer) or 2) deployed within your environment. Yes, it’s going to take a little time, which will make you nervous as you add up your developer billing rates. But the tradeoff may well be worth it.
Here’s an example from a past life:
As a director of marketing, I spend an average of $150 to acquire a new customer. This number is an aggregate of various efforts, like online, print and direct mail marketing. (It doesn’t even include the man hours needed to create an engaging campaign or train the sales staff, etc.) As a result of my efforts, I gain 10,000 new customers in a year. This is good news because once I have a new customer, my costs to retain him go down each year, sometimes as low as $30/per year. As long as I provide good products and services, I’m good. I can see a return on my investment.
Now let’s pretend that my team and I decide to install and implement a new application on our website or on our server. We’ve given IT a short amount of time to vet, install and support this new software. It’s all about beating our competitors, right? Now imagine that this software has a critical vulnerability that creates a window of opportunity for a hacker to access confidential customer or vendor data. This could be names and addresses. It could be credit card information or passwords or all of the above (how timely to have Adobe as the poster child for this situation).
Begrudgingly, we need to let customers know that we’ve been hacked. Depending on how we approach our customers with the problem, they may give us another chance to earn their trust. But what if they don’t? What if I have to go find another 10,000 or more customers at $150 each just to replace the ones I already gained? What if I have to engage a PR firm at $250/hour to manage the branding issues that will inevitably pop up? I’m looking at thousands of dollars…hundreds of thousands of dollars to find business and regain trust. That’s a lot more than the initial investment I could have made in assurance and vulnerability detection efforts.
Of course, even security experts will tell you that there are no guarantees and determined hackers sometimes prevail. But, if you have an opportunity to reduce your risk, why not take it. To all my marketing friends, here’s my call to action…work with IT and listen to their concerns about security. I think you’ll be glad you did.