Business Risk: Selling AppSec to Business Leaders

Use compliance and reputation risk concerns based on these risk survey findings to persuade management  to invest in your Application Security programs

The table towards the bottom shows the top 25 lists of business risks as given by two different groups. The first list comes from the Lloyd's Risk Index 2011 featuring content from the Economist Intelligence Unit (EIU). The second is slightly older and is taken from the Ernst & Young Business Risk Report 2010.

These show the risks that business leaders are worried about.

What are the risks that can be leveraged to try and improve investment in Application Security programs? There's little point in saying "Guinness Application Security is good for you".  However, we can try to leverage the risks that senior management are worried about.

Compliance and Reputation would seem to be the two main arguments that we can put forward.

Compliance

Both surveys feature "changing legislation" or  "regulation and compliance" towards the top of the risks that business leaders are concerned about.  In our field,  this would include such topics as PCI DSS, Data Protection legislation, HIPAA etc. Our first argument would go along the lines :

• "We need to improve our application security program in order to comply with XYZ"

From my experience PCI DSS is definitely a strong motivator. Some companies realize that they need to comply and are undertaking security initiatives: something that would probably not have happened if PCI DSS did not exist.

Reputation
The other main risk which we can use seems to be Reputation. The Lloyd's Risk index has Reputational Risk at number 3 while the E&Y Business Risk Report has it at number 19. I presented the E&Y table at a recent OWASP Switzerland chapter meeting. The general concensus at that event was that companies are worried about reputation and so the Lloyd's Risk Index placement at 3 is more accurate.

The argument here is:

• "We need to improve our application security program in order to protect our reputation. Look at what happened to SONY, Stratfor, etc...."

Cyber Attacks
The Lloyd's Risk index mentions malicious cyber attacks as risk number 12 and cyber-risks (non malicious) at 19, whereas the E&Y report does not mention them specifically.

	Lloyd's Risk Index 2011	The Ernst & Young Business Risk Report 2010
1	Loss of customers/Cancelled orders	Regulation and compliance
2	Talent and skills shortages	Access to credit
3	Reputational risk	Slow recovery or double-dip recession
4	Currency fluctuation	Managing talent
5	Changing legislation	Emerging markets
6	Cost and availability of credit	Cost cutting
7	Price of material inputs	Non-traditional entrants
8	Inflation	Radical greening
9	Corporate liability	Social acceptance risk: corporate social responsibility
10	Excessively strict regulation	Executing alliances and transactions
11	Rapid technological changes	Inability to innovate
12	Cyber attacks (malicious)	Maintaining infrastructure
13	High taxation	Emerging technologies
14	Failed investment	Taxation risk
15	Major asset price volatility	Pricing pressures
16	Theft of assets/Intellectual Property	Resource scarcity
17	Fraud and corruption	Consumer demand shifts
18	Interest rate change	Global (re)alignment
19	Cyber risks (non-malicious)	Reputation risks
20	Poor/Incomplete regulation	Energy shocks
21	Critical infrastructure failure	Supply chain and "extraprise"
22	Government spending cuts	Managing new business models
23	Supply chain failure	Capital allocation
24	Pollution/Environmental liability	Intermediary power
25	Sovereign debt	Shifting demographics

Summary
Compliance and reputation risks are probably the two main risks to leverage when you are trying to convince management to invest in application security.  This type of approach might seem a bit underhand - but all is fair in love and war.

Links to surveys(PDF):

• Lloyds Risk Index 2011
• Ernst and Young Business Risk Report 2010 

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot