[This thesis has been built on a customer non-paper regarding Corporate Security and Risk Strategies]
At times of economic crises and market share squeezing, many IT Service companies focus on agile product development and on meeting the service delivery deadlines, often at the expense of solid software development practices, adequate testing and user acceptance.
Although initial costs may be relatively low, these companies usually face increasing costs through the product life cycle due to necessary ad-hoc patching, multiple versioning maintenance and overall inability to address the total product portfolio under a single, strategically-driven governance framework.
The end result is very high Total-Cost of Maintenance (TCM) and poor quality of service at the customer end. IT Security, extensive and recursive testing as well as Compliance with a selected Framework of Standards are all prerequisites of shielding the Company against abrupt Risks that can literally take down the company in a matter of days.
Just consider the cost of an online provider facing a DDoS attack of 1 whole day or more. According to a study by SANS Institute: InfoSec Reading Room “DDoS Attacks Advancing and Enduring: A SANS Survey” of February 2014 https://www.sans.org/reading-room/whitepapers/analyst/ddos-attacks-advancing-enduring-survey-34700 the final bill after paying for litigation fees and customer compensation can be up to $100,000 per minute of outage with the weighted average outage duration being around 2.3 hours, while up to 35% of the attacks are never detected.
And speaking of internal risks, a recent Gartner study projected that “through 2015, 80% of outages impacting mission-critical services will be caused by people and process issues, and more than 50% of those outages will be caused by change/configuration/release integration and hand-off issues.” (Ronni J. Colville and George Spafford Configuration Management for Virtual and Cloud Infrastructures) – http://www.evolven.com/blog/downtime-outages-and-failures-understanding-their-true-costs.html#sthash.71ThLBDZ.dpuf
The “quick-and-dirty” way for IT Service Companies is to beat the competition with fast service releases but loose security endpoints. The best positioned Tech companies over the long-run are those who respect their customers and invest in build-in security in their products. They also do not fail to hire top-notch security professionals that maybe a drag in the every-day life for a CEO or a Sales VP, but will repay the company and the shareholders in multiples.
The target of successful, strategically-agile IT tech companies is to transform internal and external risks associated with Compliance, IT Security and Cyber-Risk into Legal adherence to agreed SLAs while maintaining desired level of quality controls. This is mainly achieved by securing and exercising the Right-To-Audit across the service delivery chain in order to maintain the sufficient levels of Quality and Assurance.
Instead of viewing Security and Risk Management as necessary “costs” to be kept at a bare minimum, these companies invest in those two areas as part of their carefully chosen business portfolios. These investments are expected to induce considerable revenue streams, in the long-run, constituting a lucrative “money-making business”.
It is getting less and less of a hype in recent high-level security round-tables to hear the term “the business of security”. The highly-paid security gurus of the big tech players, make sure that their voice is heard at Board of Directors’ Meetings where the agenda is not technical security but strategic market positioning and profit maximization based on security strategy.