One of the sad truths about security is that it has typically been viewed by enterprise C-level executives as akin to an insurance policy – necessary, but would never produce profits, boost revenue, or attract new customers. But are those long-held perceptions changing?
A recent CA study found that they might be. The study found that companies that prioritized security efforts in app development were 2.6 times more likely to have security testing keep up with frequent app updates, 2.4 times more likely to be leveraging security to enable new business opportunities, 2.5 times more likely to be outpacing their competitors, and those companies also enjoyed 50 percent higher profit growth and 40 percent higher revenue growth.
"Traditionally, business executives viewed security as a necessary evil that you have to do or bad things can happen," said Ayman Sayed, the president and chief product officer at Veracode.
There is a key reason why that no longer works. Security as a silo in 2018 is a recipe for disaster. The days when the CISO and other security managers could handle all matters of IT security, without anyone else on the payroll being bothered? Long gone.
For example, one of the biggest data breach entry points for almost all large companies today is the spyware-hiding-in-an-email-attachment trick. Security can do little to halt that attack method. It's up to every employee with access to the network to be trained when it's OK to open an attachment, even from someone the employee thinks is a colleague.
This is not that different from the biggest threat with today's facilities security effort: employees letting others into the building, rather than insisting that they card in, like everyone else. Hiring 200 extra security guards won't undermine the damage possible from one sympathetic employee letting someone in during a rainstorm.
But those are both trivial compared with the security issues with application development teams that think that security is someone else's problem.
Shifting security left
"With today's shorted cycle time, companies no longer have the time to do security as an afterthought," Sayed said.
Sayed's point is that the time it takes to fix app security issues later is far greater than the time needed to prevent that security hole from happening initially. In addition, when a company gets burned with an app with security problems, the person-hours needed to then fix it is the least of their problems. When security is not integrated, those security discoveries almost always happen after the app has been released to customers. That brings customer anger into the equation. Then in comes legal as some of those customers prepare litigation.
And, of course, don't forget regulators, both from a vertical perspective (PCI, HIPPA, etc.) and from city, state, federal, and global regulators. With GDPR kicking in, the global regulator complexities will get far worse.
On top of all of that, throw in the additional rollout delays of any apps your team had in the pipeline. Those are the projects that have to be backburnered while everyone has to fix the newly discovered security holes.
This is why moving to integrate app security in the very start of the process—in effect moving from a DevOps mentality to DevSecOps—makes so much financial sense. "This directly impacts your ability to grow your top line," Sayed said. "By integrating security throughout the cycle, by moving from DevOps to DevSecOps, you're able to do that more rapidly, in a frictionless fashion and drive the business results. That is how the link comes into play."
Then there is the fact that spyware slows down all of your applications, while it's stealing your data in the background. "That delay of a second or two when customers are getting a spinning wheel often leads to them abandoning a session, abandoning an app. That means a potentially lost transaction and lost revenue," Sayed said.
Security as competitive advantage
Let's take another look at those initial stats. How does doing a better job integrating security into all business operations help attract new customers and boost revenue? That's another change for 2018. Your security holes are no longer just your company's problems. Your security holes threaten the security—and compliance—status of everyone who comes into contact with those apps, including your customers as well as every member of your business community (distributors, suppliers, sales, freight, service contractors, etc.).
That means that a company that can boast of more sophisticated integrated security has a massive competitive differentiator when competing against those that can't make such a claim. With all of the data breaches in the headlines these days, and all of the damage that results, how attractive would you find it when a company shows that they are making the right security moves?
Another reason for the powerful ROI that integrated security now delivers is pure time. Apps made in a true DevSecOps fashion are produced more quickly, regardless of whether a vulnerability is discovered. Developers are more confident in moving apps along quickly when they know that security has already been a focus. Customers are more quick to deploy your apps, rather than waiting and watching to see if a security bug is discovered by early-deploying rivals.
And don't forget the most obvious ROI advantage: For those of you who sell your apps outside your company, integrating security at the beginning makes those apps sell faster and easier—not to mention that you will also be able to start selling them more quickly.
The truth is that fully integrating security into the app development process does increase revenue, margin and productivity all while sharply reducing any post-release headaches. Age-old security misperceptions are finally surrendering to security realities. And that's what is causing the perception change.
Want to get started? Learn how to make application security a competitive advantage with Veracode’s Verified program.