How is secure coding sold within enterprises?

[James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))]

I agree with your assessment of how things are sold at a high-level but still struggling in that it takes more than 
just graphicalizing of your points to sell, hence I am still attempting to figure out a way to get my hands on some PPT 
that are used internal to enterprises prior to consulting engagements and I think a better answer will emerge. PPT may 
provide a sense of budget, timelines, roles and responsibilities, who needed to buy-in, industry metrics, quotes from 
noted industry analysts, etc that will help shortcut my own work so I can start moving towards the more important stuff.

-----Original Message-----
From: Andrew van der Stock [mailto:vanderaj at owasp.org]
Sent: Monday, March 19, 2007 2:50 PM
To: McGovern, James F (HTSC, IT)
Cc: SC-L
Subject: Re: [SC-L] How is secure coding sold within enterprises?


There are two major methods:



1.      Opportunity cost / competitive advantage (the Microsoft model) 

2.      Recovery cost reductions (the model used by most financial institutions)



Generally, opportunity cost is where an organization can further its goals by a secure business foundation. This 
requires the CIO/CSO to be able to sell the business on this model, which is hard when it is clear that many businesses 
have been founded on insecure foundations and do quite well nonetheless. Companies that choose to be secure have a 
competitive advantage, an advantage that will increase over time and will win conquest customers. For example (and this 
is my humble opinion), Oracle's security is a long standing unbreakable joke, and in the meantime MS ploughed billions 
into fixing their tattered reputation by making it a competitive advantage, and thus making their market dominance 
nearly complete. Oracle is now paying for their CSO's mistake in not understanding this model earlier. Forward looking 
financial institutions are now using this model, such as my old bank's (with its SMS transaction authentication 
feature) winning many new customers by not only promoting themselves as secure, but doing the right thing and investing 
in essentially eliminating Internet Banking fraud. It saves them money, and it works well for customers. This is the 
best model, but the hardest to sell.

The second model is used by most financial institutions. They are mature risk managers and understand that a certain 
level of risk must be taken in return for doing business. By choosing to invest some of the potential or known losses 
in reducing the potential for massive losses, they can reduce the overall risk present in the corporate risk register, 
which plays well to shareholders. For example, if you invest $1m in securing a cheque clearance process worth (say) 
$10b annually to the business, and that reduces check fraud by $5m per year and eliminates $2m of unnecessary overhead 
every year, security is an easy sell with obvious targets to improve profitability. A well managed operational risk 
group will easily identify the riskiest aspects of a mature company's activities, and it's easy to justify improvements 
in those areas. 

The FUD model (used by many vendors - "do this or the SOX boogeyman will get you") does not work.

The do nothing model (used by nearly everyone who doesn't fall into the first two categories) works for a time, but can 
spectacularly end a business. Card Systems anyone? Unknown risk is too risky a proposition, and is plain director 
negligence in my view. 

Thanks,
Andrew 


On 3/19/07 11:35 AM, "McGovern, James F (HTSC, IT)" <James.McGovern at thehartford.com> wrote:



I am attempting to figure out how other Fortune enterprises have went about selling the need for secure coding 
practices and can't seem to find the answer I seek. Essentially, I have discovered that one of a few scenarios exist 
(a) the leadership chain was highly technical and intuitively understood the need (b) the primary business model of the 
enterprise is either banking, investments, etc where the risk is perceived higher if it is not performed (c) it was 
strongly encouraged by a member of a very large consulting firm (e.g. McKinsey, Accenture, etc).

I would like to understand what does the Powerpoint deck that employees of Fortune enterprises use to sell the concept 
PRIOR to bringing in consultants and vendors to help them fulfill the need. Has anyone ran across any PPT that best 
outlines this for demographics where the need is real but considered less important than other intiatives?


*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************


  _____  

_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC ( http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070319/0c0197b5/attachment-0001.html