Recently, I've been talking a lot about business driven communication in security, building trust and the value proposition. I've incorporated these things into my high performance coaching and training programmes for years, as communication—the imparting or exchanging of information by speaking, writing, or using some other medium—is vital for today's savvy and progressive cyber security leaders.
You see, cyber security is topical and it’s exposing all of us in the industry to new areas. As people buy people, even if you don’t think you’re selling something in security, people are always buying. They’re buying into you—your mission, vision, leadership—and deciding whether or not they trust you. Creating trust, is therefore vital, if you’re going to enable stakeholder buy-in, move a project forward, get promotion, a bonus, new job, speaking opportunity, make sales and attract top talent.
And, business driven conversations around security, when you're meeting your buyer where they're at, and seeing things through their lens, build trust. They elevate you to another level. They differeniate you from the crowd. From the average.
Known mostly as the department that likes to say “no,” I couldn't help but remind myself of a blog I wrote in 2009, when I owned my penetration testing firm and CISOs and CSOs hadn't become a standard function in an indexed business [wink, wink]. It was entitled, ‘Security as a Business Enabler,' and it's as relevant now—almost a decade later—as it was then.
Promoting the validity of penetration testing, as a business enabler, here's what I wrote.
When it comes to penetration testing I don’t think I’ve ever met an IT Security Manager who’s not had the problem of justifying their internal spend. Like most areas in IT Security, traditionally this is viewed as an expense and managers have had great trouble in trying to ascertain the Return on Investment (ROI). This blog explores the concept of penetration testing as a business enabler and how budgets can be secured by selling the business benefit.
When IT Security Managers address penetration testing, their objective is typically to manage risk, meet regulatory compliance requirements and fulfill user needs. In this area of specialism, undoubtedly there's a tendency to think in terms of keeping the “bad guys” out. However, penetration testing can actually do much more than this. It can securely let the “good guys” in, thereby helping to enable business initiatives.
Traditionally penetration testing has largely been justified in terms of keeping the “bad guys” out. When identifying weaknesses in the security controls, such as those used to protect against viruses, hacker attacks and unauthorised access attempts, this is clearly the goal. However, one important and often under appreciated benefit is in securely letting the “good guys” in—and the associated enablement of business initiatives. Effective and regular programs of penetration testing provide the secure infrastructure upon which an organisation can more easily grow their business. It strengthens the relationship with existing customers and partners, thereby creating sales opportunities for additional products and services.
Let’s look in more detail at how an organisation can use penetration testing to help grow and strengthen their business.
Customer Acquisition
Every organisation wants to grow their business. Organisations can do this by simply selling more to their existing customer base, and by expanding their business to new customers. To do this, however, organisations must be able to introduce new (often online) products and services, quickly and seamlessly. When penetration testing occurs during software development (ideally instigated at the design phase and as part of the QA process), an organisation is able to speed up the quality development and deployment of new applications and to simplify the process of managing the entitlements of users to these applications. The cost savings associated with doing this are attractive too. IBM reported the cost to fix an error found after product release was up to 100 times more than one identified in the maintenance phase.
In areas of embargo too, it can help open up markets that were previously limited or avoided.
Improved Customer Relationships
Customers today expect high levels of responsiveness and service from the organisations with which they do business. One important way to keep customers happy and loyal is to provide them with an excellent experience every time they interact with the organisation — for any reason. Their experience consists of a combination of all their interactions with the organisation and their website experience is one of the most important and high profile of these. If an online service is unavailable, business is usually taken elsewhere and revenue is lost. Having a website that is available when needed, with no degradation in quality or service level ensures customer satisfaction. Ensuring the security of an online service is an important part of maintaining service availability.
Enhanced Business Credibility and Customer Confidence
In almost all kinds of business, the most important corporate asset is the corporate brand, and the organisation’s reputation goes hand in hand with this. Public knowledge of security breaches can have a catastrophic effect on the willingness of the public to do business with the organisation.
Examples from 2006 and 2005 illustrate this point well. When Acxiom (a company that processes credit card information) lost a tape containing customer data, the effect was dramatic. The direct costs of managing the situation were close to $1 million, but the effect on the company’s reputation was much worse. Similarly in 2005, CardSystems had an incident where hackers stole 263,000 credit card numbers; exposed 40 million more, and several million dollars fraudulent credit and debit card purchases were made with the counterfeit cards. As a result of the breach CardSystems almost went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many to be the most severe publicised information security breach ever and it caused company shareholders, financial institutes and cardholders millions of dollars in damages.
Assuring the privacy of customer confidential information (whether health-related, financial, personal or other) is critical not only for customer confidence but also for meeting the requirements of governmental privacy mandates (e.g., in the UK, the DPA and in the US, SOX). Some organisations have also had to certify with PCI-DSS, FSA and/or the GC and have therefore adopted widely used IT security frameworks, such as ISO 17799/27001 and CoBIT to create an environment of accepted security best practice. Both mandate regular programs of penetration testing and so when used consistently throughout the organisation, help to strengthen customer confidence in the privacy of their confidential information, avoid costly and dangerous security breaches, and prevent unauthorised access to critical IT assets.
With or without these frameworks, mandates and certification schemes one thing is for certain: organisations that make assurances through thorough penetration testing enhance customer confidence that their confidential information is being adequately protected by the organisation. They ensure that valuable corporate resources are being kept secure and private, and are only available to properly authorised individuals for approved actions. The confidence that customers have in the security of the entire environment plays a key factor in their decision to remain a customer, partner or even acquirer.
New Partner Business Models and Opportunities
One of the biggest challenges to the creation and expansion of robust customer/partner ecosystems is the lack of strong, consistent security across these environments. Many organisations would like to tightly integrate suppliers, distributors, outsourcers and other marketing partners into a unified IT infrastructure that allows members of one organisation to securely access the applications and information of another. To achieve this however, an organisation needs to perform a penetration test to assess the threat. Once they have assessed the suppliers’ security posture (and revealed it as secure) the organisation is able to expand and more tightly integrate the partner’s ecosystem and supply chain, in order to greatly increase the set of services available for its online users and partners. An identity federation environment can significantly help open up new and promising business opportunities for any organisation. It can also help make the organisation become more agile in the IT ever-changing business world. The organisation is able to respond to competitive threats more easily, as well as to adopt new organisational structures (including M&A activity) compared to organisations that have no centralised way of managing identities.
Conclusion
Organisations today face many challenges related to keeping the “bad guys” out. As important as this, to help fuel business growth, is for the business to securely let the “good guys” in. A comprehensive program of penetration testing is a key enabler for this. Many unsuccessful organisations have learned the pitfalls of not operating in this way and have paid the price of receivership or hostile takeover.
There are many business benefits to implementing a program of penetration testing. When it is seen as part of Quality Control (or Quality Assurance) during software development it is the organisation’s statement to the market that the products and services will meet the expectation of the consumer. So, they will keep on buying. There are cost savings too. In QA it is widely accepted that the cost of quality is the price of nonconformance and that it is at least ten times more expensive to correct a problem than to prevent it. Preventing security issues through penetration testing should not be seen any differently, as the investment required to adequately protect the businesses critical assets is likely to be less than the cost of recovery from a serious incident, such as: loss of personal data, disclosure of credit cards, unavailability of key services, brand damage, inability to trade, and so on.
Now I want to hear from you…
Tell me, in the comments below, how you're using security to enable business and whether you're now having more business driven conversations in security.
And, if you want to book me as a paid speaker for your event, or act as a strategic adviser to enable your business or department to grow and scale, or attract and retain more women in security, please complete this form.