Jeremiah has published an entry on budgeting for web application security in your company.
"“Budgeting” is a word I’ve been hearing a lot
of questions about recently, which is another data point demonstrating
that Web application security and software security are increasingly
becoming a top of mind issue. The challenge that many security
professionals face is justifying the line item expense for upper
management. Upper management often asks, “How much do we need to spend?” well before “What do we need to spend it on?”
I was talking with Boaz Gelbord (Executive Director of Information
Security of Wireless Generation) and several others about this, and
they provided keen insight on the subject. I have identified the
following approaches to justifying security spending:
1) Risk Mitigation
"If we spend $X on Y, we’ll reduce of risk of loss of $A by B%."
2) Due Diligence
"We must spend $X on Y because it’s an industry best-practice."
3) Incident Response
"We must spend $X on Y so that Z never happens again."
4) Regulatory Compliance
"We must spend $X on Y because PCI-DSS says so."
5) Competitive Advantage
"We must spend $X on Y to make the customer happy.""
Read more: http://jeremiahgrossman.blogspot.com/2008/12/budgeting-for-web-application-security.html
