Building a Web Application Security Program Without a Budget - Following the White Rabbit Blog -
Following the White Rabbit Blog » Building a Web Application Security Program Without a Budget
Building a Web Application Security Program Without a Budget

As promised, I'm writing up the first segment of implementing a web application security program without having to spend (or add spend to) your own budget.  The current economic conditions are stiffling technology investments and security programs aren't much better off than they were this time last year.  In fact... security's budgets have shrunk.  I know, no one reading this is shocked.

What I am going to give you some support no here in this first piece is gathering the information you need not to have to spend anything.  This is quite simple, but rarely done I assure you.

First thing you should do is infiltrate the opposition.  In case you haven't noticed, critical business functions rarely get their budgets cut so in order to get the same type of treatment you have to learn what they're doing differently than you.  Follow these simple steps, and you'll be one step closer to program success.

  1. Identify the heads of each of the following departments within your organization:
    1. Fraud
    2. Risk
    3. Legal
    4. Compliance
  2. Ask them for their list of initiatives for next year and beyond
  3. Ask them to identify which of those initiatives have a "Web application" component
  4. Sit with them in their office at least once to understand their priorities, and reasoning behind those priorities
  5. Provide feedback for each web application-related component to identify "security needs"
  6. Confer with the owner/sponsor (person whom you sat with) to ensure those needs are "baked into" their budget estimates
  7. Add each of those projects identified in #6 to *your budget* with a dollar-amount of zero (insert reference to #6 above for clarity)

Alright.  There you have it.  These are the steps that I've personally successfully used in the past, and I know that this works a good majority of the time across a wide range of companies and industries.

Now that you've got this gameplan ahead of you... you may need some coaching on how to position your requirements to the various department heads for step #6 in the process.  I'll detail some of those tricks next.

Posted 07-29-2008 8:12 PM by RafalLos
Filed under: , ,

Add a Comment

(required)  
(optional)
(required)  
Remember Me?

Type the numbers and letters above:
Privacy Statement
Powered by Community Server (Non-Commercial Edition), by Telligent Systems