Sunday 8 January 2012

Business Risk: Selling AppSec to Business Leaders

Use compliance and reputation risk concerns based on these risk survey findings to persuade management  to invest in your Application Security programs

The table towards the bottom shows the top 25 lists of business risks as given by two different groups. The first list comes from the Lloyd's Risk Index 2011 featuring content from the Economist Intelligence Unit (EIU). The second is slightly older and is taken from the Ernst & Young Business Risk Report 2010.

These show the risks that business leaders are worried about.

What are the risks that can be leveraged to try and improve investment in Application Security programs? There's little point in saying "Guinness Application Security is good for you".  However, we can try to leverage the risks that senior management are worried about.

Compliance and Reputation would seem to be the two main arguments that we can put forward.


Both surveys feature "changing legislation" or  "regulation and compliance" towards the top of the risks that business leaders are concerned about.  In our field,  this would include such topics as PCI DSS, Data Protection legislation, HIPAA etc. Our first argument would go along the lines :
  • "We need to improve our application security program in order to comply with XYZ"
From my experience PCI DSS is definitely a strong motivator. Some companies realize that they need to comply and are undertaking security initiatives: something that would probably not have happened if PCI DSS did not exist.

The other main risk which we can use seems to be Reputation. The Lloyd's Risk index has Reputational Risk at number 3 while the E&Y Business Risk Report has it at number 19. I presented the E&Y table at a recent OWASP Switzerland chapter meeting. The general concensus at that event was that companies are worried about reputation and so the Lloyd's Risk Index placement at 3 is more accurate.

The argument here is:
  • "We need to improve our application security program in order to protect our reputation. Look at what happened to SONY, Stratfor, etc...."
Cyber Attacks
The Lloyd's Risk index mentions malicious cyber attacks as risk number 12 and cyber-risks (non malicious) at 19, whereas the E&Y report does not mention them specifically.

Lloyd's Risk Index 2011 The Ernst & Young Business Risk Report 2010
1 Loss of customers/Cancelled orders Regulation and compliance
2 Talent and skills shortages Access to credit
3 Reputational risk Slow recovery or double-dip recession
4 Currency fluctuation Managing talent
5 Changing legislation Emerging markets
6 Cost and availability of credit Cost cutting
7 Price of material inputs Non-traditional entrants
8 Inflation Radical greening
9 Corporate liability Social acceptance risk: corporate social responsibility
10 Excessively strict regulation Executing alliances and transactions
11 Rapid technological changes Inability to innovate
12 Cyber attacks (malicious) Maintaining infrastructure
13 High taxation Emerging technologies
14 Failed investment Taxation risk
15 Major asset price volatility Pricing pressures
16 Theft of assets/Intellectual Property Resource scarcity
17 Fraud and corruption Consumer demand shifts
18 Interest rate change Global (re)alignment
19 Cyber risks (non-malicious) Reputation risks
20 Poor/Incomplete regulation Energy shocks
21 Critical infrastructure failure Supply chain and "extraprise"
22 Government spending cuts Managing new business models
23 Supply chain failure Capital allocation
24 Pollution/Environmental liability Intermediary power
25 Sovereign debt Shifting demographics

Compliance and reputation risks are probably the two main risks to leverage when you are trying to convince management to invest in application security.  This type of approach might seem a bit underhand - but all is fair in love and war.

Links to surveys(PDF):

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot


  1. Definitely a general consensus on these - I like the 4 R's at

  2. PCI Compliance is important to ensure the safety not only of the buyers and consumers but also the company itself. This institution is conducting a thorough test to ensure the reliability and safety of payment methods.