As a leader, it’s easy to see security as a money sink that never creates wealth. Like IT in past decades, funds allocated to security disappear, yet more is always requested. The reasons usually provided - preventing breaches, compliance with privacy regulations, and protecting the integrity of the company’s infrastructure and services - are reasonable enough. But as a leader who isn’t necessarily familiar with the specifics of why the security team is prioritizing particular objectives and how those objectives serve the mission and financial solvency of your institution, it can be challenging to foster meaningful dialogue with a team whose work can be illegible to those aren’t technical. And even technical people struggle to understand the highly specialized work of some security engineers. This is a simple guide and food for thought for the leaders who are concerned with minimizing costs and maximizing returns on security teams, all the while leaving your company with a more robust security posture and making it less vulnerable to breaches.
Bug bounties allow you to outsource your company’s offensive security work to the growing international community of bug bounty hunters. This thriving community will find bugs and be awarded money based on security findings in accordance with rules your business sets. So instead of keeping a pen-testing team on staff, you can save significant sums of money by letting pentesters receive rewards based on what they can find wrong in your system. But security costs aren’t the only thing you stand to reduce by implementing a bug bounty program. Because bug bounty programs are magnets for top security talent, your in-house team also benefits immensely from the recruiting opportunities that arise when such a program is put in place. And finally, the buzz generated by the announcement of a bug bounty program is an excellent source of free marketing. Do you want to be on the tip of everyone’s tongue in the tech community? Announcing a bug bounty program is an easy way to have a moment in the spotlight without spending a cent on viral marketing campaigns. Enjoy the burst of free grassroots popularity!
I know auditors seem expensive, but that one-time (or even quarterly or annual) fee is chump change compared to the price of maintaining an internal compliance team that conducts audits in-house. Don’t get me wrong, there’s nothing wrong with having your team of competent security engineers, and you probably already do. But the best combination you’ll find is this: unless your company is genuinely enormous, leave the offensive work of finding bugs to third-party auditors. They will find tons of bugs for your engineers to clean up. If you must have internal compliance or offensive security engineers, always try to leave the balance in favor of more “blue team” or defensive security engineers. Your defensive team will always have plenty of work cleaning up the endless bugs discovered in quarterly audits, and those audits will be considerably cheaper than maintaining an entire “red team” (offensive security team) to find the same bugs. So go ahead and skip the constantly expanding red team budget by just keeping a small red team if you still feel that you have to maintain one in-house at all.
Wait, what? Can you increase revenue directly via your security team? Absolutely! Your security team can do more than defend your organization and ensure compliance with industry standards and best practices - they can also be utilized to generate revenue directly. Let me show you how. Imagine working with another vendor, but that vendor lacks a vital security certification that you have already acquired (most commonly, the culprits are SOC2, GDPR, and of course PCI DSS). To maintain contractual obligations with other vendors and clients, this vendor must comply with the applicable standard. So what should you do? Maybe tell the vendor to use an auditor? Nonsense! You can offer them the services of your security team to make the same changes to the vendor’s organization that had to be made to yours - for a fee, of course. Once your team has implemented something for your organization based on external audits, they can just as quickly take that hard-earned wisdom and apply it to the circumstances of the organizations you work with. Combined with reducing costs via implementing bug bounty programs and strictly relying on third-party audits for the bulk of your offensive needs, this strategy of using your security team as an outsourced compliance workforce for your other clients and vendors is the key to turning the security branch of your IT team from a cost sink to a revenue source.
Unless you’ve been stuck living under a rock for the last 15 years, the chances are nearly sure that you’ve heard of cryptocurrency. Heck, I bet you’ve probably even made some crypto investments yourself. Between Bitcoin, Monero, Doge, and Ethereum, among many alternatives constantly flooding the market offering innovations, almost any business in today’s market is likely to be involved in crypto, or at least technology based on blockchain algorithms. Your security team is vital in maintaining the integrity of your crypto assets. Along with the rise in ransomware attacks over the past decade, crypto theft and hacking based around cryptocurrency crime has exploded in popularity among attackers on Dark Web forums. It is vital that at least someone in your core security engineering team is trained in crypto to protect yourself. We aren’t here to recommend a specific course or certification. The odds are, if you speak to your security team, they’ll know exactly what training would be best. Splurge. This is not something you want to be stingy on - the training they receive is the only line of defence between your business and the attackers who threaten to steal all of your cryptocurrency assets.
In the late 1990s, the legendary software pioneer Grace Hopper was once quoted as saying the following quip: >
Security is a black hole of time and money, and so is getting hacked.
Coming from a US army general and coinventor of FORTRAN, many corporations from those early days of cyberspace were afraid to touch security, terrified that it would suck up time, money, and resources better spent on the number one priority of every business: creating more profits. We hope this brief tour has convinced you of two core truths of the role of a security team in the modern enterprise. For one, that security doesn’t need to be expensive, and the expenses it does incur can be minimized by relying on external bounty hunters and quarterly audits, as well as that a well-trained, highly experienced security team is an asset that increases profits directly. Second, armed with this knowledge, you have a severe leg up on your competition, most of whom are likely stuck in a 90s fog where security is the last priority or is blindly invested in - but with a mentality that will use up tons of unnecessary funds while reaping minimal profit.