Security makes you money
Since the beginning of my career in information security, I've received some examples of why information security is important. These examples were explained in layman's terms that anyone could understand. However, I found some inconsistencies in them after hearing them one after another.
Let's start with the wallet example that one smart guy once told me. You have 50 USD in your wallet, and that's great. You love that money, but you also carry some risks now. Your wallet could burn, get soaked, or get stolen, among other possibilities.
So, how do you protect your wallet? You may attach a SIM chip to some fancy IoT device and monitor your wallet's location using an app for 10 USD, add a fire protection material for 30 USD, and use a special plastic to prevent the wallet from getting soggy for 20 USD.
Now, let's recap. You have a wallet that contains 50 USD, and you can add protections to make it 100% secure by spending a total of 60 USD. As you can see, it's great for security because we're mitigating many risks, but horrible for business because we've become indebted. That's why being 100% secure is possible in this case, but it doesn't worth it as the cost to protect is greater than the asset value (assuming that the wallet itself is worthless).
Well, I have nothing against this example. It's a very good way to explain that we can add some controls as long as they don't exceed the asset value.
On the other hand, during my career, I noticed that examples usually revolve around security as insurance or loss prevention. And it's true, but it's not the only principle we should talk about.
Security is not only meant to prevent losses, although it may have been in the past. It's also meant to be ahead of the game as a competitive advantage. I understand that it may seem strange at first. Can security make you money? Yes, it can. And the amount of money it can generate is only increasing.
Let's start with the easiest example to understand: the fact that HTTPS is a ranking signal when it comes to Google searches. This means that security is now part of the equation.
If your website gets blacklisted because of malware, you'll lose points in Google Page rank. So, not only does protecting your website against malware and adding HTTPS prevent losses, but they also increase your position in searches. A higher position means higher visibility, which can lead to more traffic and more potential buyers.
It won't surprise me if Google announces that if they notice your homepage has been defaced, you'll lose points too. The world is heading in that direction. Users are becoming more privacy-aware. They understand that information has value and they don't want to be tracked. It will take time, but that's where the world is heading. That's evolution for you.
But that's not all.
When selling a Commercial off-the-shelf (COTS) product, the buyer wants to know about its security, even though the majority have no idea how to validate it (read "A Security Market for Lemons" by Bruce Schneier). Not all buyers, of course, but their awareness is increasing, as shown in the SANS 2016 State of Application Security Report. Moreover, you can properly educate them to make them aware of the importance of security before they dive into your product.
This means that security adds value, and that's exactly what buyers look for during a purchase. They don't buy features; they buy value. The higher the value you provide, the more they're willing to pay. And if the perceived value regarding security is increasing, so is the money you make when you sell a product. If they're not willing to pay more, at the very least, you'll be ahead of the competition.
And still, that's not all.
There is also functional security that can grab the user's attention. For example, two-factor authentication, the ability to encrypt files, or an audit trail available to the user. These security features are on the same level as any other feature of the product. And guess what? They also provide value to the user/buyer. Not only does security in the background generate revenue, but security in the foreground does as well.
There are also gains related to the brand because improving security means improving the overall quality. It's hard to estimate the gain here, but it's a gain for sure.
That's it for today. Thank you for reading.