Security makes you money
Since the beginning of my career in information security I've received some examples on why information security is important. Such examples came in layman terms that anyone could understand. But I found some inconsistency on them after hearing one after another.
Let's start off with the wallet example that one smart guy once told me. You have 50 USD in your wallet and that's great. You love that money, but you also carry some risks now. Your wallet could burn, get soaked, get stolen and so on.
That said, how do you protect your wallet? You may attach a SIM chip in some fancy IoT stuff and monitor your wallet's location using some app for 10 USD, add a fire protection material for 30 USD and a special plastic to prevent the wallet from getting soggy for 20 USD.
Ok, let's recap. You have a wallet that contains 50 USD, and you can add protections to make it 100% secure by adding protections that in total would costs 60 USD. As you can see it's great for security, because we're mitigating many risks, but horrible for business, as we've become indebted. And that's why being 100% is possible in this case, but doesn't worth it, as the cost to protect is greater than the asset value (supposing that the wallet itself worths nothing).
Well, I have nothing against this example. It's very good to explain that we can add some controls as long as long as they don't surpass the asset value.
On the other hand during my career I noticed that examples usually go around security as an insurance, as a form of loss prevention. And it's true, but it's not the only principle that we should talk about.
Security is not meant only to prevent losses, in case it ever was, but it's meant to be ahead of the game as a competitive advantage too. I understand that it may look weird at first. Could security make you money? Yes it can. And the money it makes is only increasing.
I'll start by the easiest item to understand: the fact that HTTPS is a ranking signal when it comes to Google Searches. It means that security is now part of the equation.
If your website gets blacklisted because of malware, you'll lose points on Google Page rank as well. So not only protecting your website against malwares and adding https will prevent you from losses, but they will increase your position on searches. And a higher position means higher visibility, which means more traffic that could lead to more buyers.
It won't surprise me when Google announce that if they notice that your homepage was defaced you'll lose points too. The world is going that way. Users are becoming more privacy aware. They're understanding that information has value and don't want to be tracked. It needs more time, but that's where the world is heading to. That's evolution for you.
But that's not all.
When selling a Commercial off-the-shelf (COTS) product, the buyer wants to know about its security, although the majority have no idea on how to validate it (read "A Security Market for Lemons", from Bruce Schneier). Not all the buyers of course, but their awareness is increasing, as shown in SANS 2016 State of Application Security Report. Not to mention that you can educate him/her properly to make him/her aware of the importance of security before diving into your product.
It means that security is a value and that's exactly what buyers look for during a purchase. They don't buy features, they buy value. The higher the value you provide the higher they're willing to pay. And if the perceived value regarding security is increasing, so is the money you make when you sell a product. If they're not willing to pay more, at the very least you'll be ahead of the competition.
And still that's not all.
There is also functional security that can grab the user attention. For example two factor authentication, the possibility to encrypt files or an audit trail available to the user. Those security features are on the same level as any other feature of the product. And guess what? They also provide value to the user / buyer. Not only the security in the background can make you money, but the security in the foreground as well.
There are also gains related to the brand, because improving security means improving the overall quality. It's hard to estimate the gain here, but that's a gain for sure.
That's it for today, thank you for reading.