The keys to laying out the case have applications in the government world as well. Lets look at the recommendations:
- Effectively communicate the issue and build application security awareness. Executive management might not understand the impact or urgency of fixing security defects. Explain the importance of preventing a data breach, identity theft, unauthorized access and downed websites. Be sure to stay clear of jargon and use real world examples highlighting damages to companies. It's important to provide training on Web security issues to all functions and not just developers. For Governments this translates to teaching your leadership and explaining the political implications of failure.
- Align your security strategy with business objectives. Discuss specific management goals and point out how a security breach could stand in the way of meeting these objectives, be they revenue or corporate reputation goals. Government version: focus on political risk and failure to meet citizens' needs
- Calculate the ROI. The cost of a breach can be $500K or more per incident. For example the Heartland Payment Systems breach is estimated to have cost the company $12.6 million along with damage to their reputation and a dramatic drop in the company's stock price. For government it is not ROI but rather cost avoidance and funds that can be used for more productive work/services. When governments fail to protect citizen information direct costs can also be incurred.
- Cite laws and compliance issues. Be sure to point out penalties for non-compliance with regulatory standards, which can pile up quickly. It is bad form for government officials to fail to obey their own regulations!
- Emphasize Web app security as part of the software development process. Include stakeholders from the development team through QA and production. This is the key. Government is a very large player in the IT services and procurement industry. It must demand quality products for its investments.
Posts
No comments:
Post a Comment