Business Case for Web Security
It can be hard to justify business spending when web sites are often viewed as low-value assets. The fact that so much Internet content and services are free, and you can buy a web site for less than the cost of a colour TV licence in the UK reinforces this idea in many small and medium enterprises (SMEs).
Much of my work is related to dealing with security incidents, such as web sites which have been hacked, or where an organisation is having security requirements imposed by their own customers and clients. Often these activities are undertaken late in the project and are therefore less effective, and more costly, than they might need to be.
I adhere to the principle "prevention is better than cure", and encourage the early consideration of security and privacy matters—just like any other business process requirement. It was encouraging to read the useful guidance and pointers on Business Cases For Software Security Initiatives but for many organisations, the issues are too complex and they don't have any supporting data. For those I recommend, as a starting point, concentrating on four types of issue:
- mandatory compliance issues (e.g. legislative and contractual)
- problems which can assist theft or fraud
- security events which would be severely disruptive and possibly put the organisation out of business
- issues for customer trust and ongoing reputation
It's always organisation specific though. As organisations mature, they can be encouraged to look at wider security issues—but, let's get the basics right first.
Posted on: 10 July 2009 at 09:15 hrs
Comments are filtered automatically and should appear shortly after they been checked.