Caution: This post may make you uncomfortable

What business value are you delivering to your business?
.
.
.
... still trying to answer the question?

If you can't immediately answer the question of "What business value is your web application security program providing to the business?" then you're in for some serious trouble.  The sad thing is, 2 out of every 3 security analysts that I talk to cannot answer that question without stumbling.  This of course underscores the problem that we face as Information Security becomes more and more ingrained into the business.  Security, just like every other part of the business, must justify its existence and value.

Should security have to justify itself?  Does security have to have a value proposition?  -- Of course!

When trying to answer that question consider one of the following answers...

• Driving risk-reduction
• Saving [the company] money
• Making [the company] money
• Contributing to compliance

Answering this question seems a lot easier said than done, doesn't it?  Simply saying "we find vulnerabilities" brings about the inevitable "so what?" response from someone who is not intimately familiar with the principles behind security.  Vulnerabilities in themselves aren't of any inherent value... consider that for a moment.  Even making web applications your business publishes to the web, to partners or to customers "less hackable" doesn't really provide the business any value.  Sometimes perspective hurts.

Try quantifying the work you or your team does in cost-savings, risk-avoidance, or other measures that the business understands and it's a whole new game.  Making Information Security a key stakeholder in the business; however, requires exactly this type of answer to be given about every undertaking the security team has.  There is no magic answer, no secret Jedi mind trick that will make your answers work every time.  You'll have to work these out yourselves every single time but there is a single key to being relevant and getting funding.

Define what you do, what you're proposing and then ask yourself... "So what?  What does this mean to the business?"