Not necessarily, lets say its just "security debt." Start with something like "we built this system with MD5 passwords in the user rows of a database that includes a bunch of other information" And 10 years go by and you (the guy who worries about security) realizes that hey, rainbow tables can be really really big these days, perhaps MD5 isn't the answer anymore.
So you go to the annual planning meeting and you pitch to the execs ,,, We want to take 5 engineers to first fix the password encryption we are using, second to update all the databases, third to build and test a system that makes swapping out the encryption method of passwords easier and less disruptive in the future, and finally updating the build system to do some sort of regression test on passwords to insure we aren't creating new services with weak algorithms.
The person after you pitches ... we'd like to take 5 engineers to build an algorithm to identify viral videos on the web and then put them into an iframe on our properties, thus increasing the length of time someone spends on our web pages which early A/B testing with some hand picked videos suggests increases revenue per page by .5%.
They give the 5 engineers to the kitten project it makes for more revenue.
A year goes by, the security guy pitches and the second pitch is "Our videos are doing great but we have discovered that people really hate that it takes three clicks to change their preferences on page layout. We want the 5 engineers to tweak the portal pages to make customization easier and we'll add a frictionless ad portal where they can just click on a product that appears and it will order it for them."
The updated portal gets the 5 engineers.
Now they are at a due diligence meeting with a potential suitor who discovers that millions of passwords were breached and later compromised because for years they knew they were using an insecure way of storing them but had not done anything about it. This materially affects what they consider the 'value' of the company to be.
The challenge is that if the security guy is really good the customers don't "see" anything, just their password is better protected than it was, and future projects start with strong password management systems. So from the people visiting the web property "nothing" changes. From the executive planning group's perspective they have spent 5 precious head count on a feature that they will have no way of "reporting" its success either in their own resumes or to their bosses. Kittens and better click through? Easy to measure and report and you can point at dollars in the bank as the benefit.
So you go to the annual planning meeting and you pitch to the execs ,,, We want to take 5 engineers to first fix the password encryption we are using, second to update all the databases, third to build and test a system that makes swapping out the encryption method of passwords easier and less disruptive in the future, and finally updating the build system to do some sort of regression test on passwords to insure we aren't creating new services with weak algorithms.
The person after you pitches ... we'd like to take 5 engineers to build an algorithm to identify viral videos on the web and then put them into an iframe on our properties, thus increasing the length of time someone spends on our web pages which early A/B testing with some hand picked videos suggests increases revenue per page by .5%.
They give the 5 engineers to the kitten project it makes for more revenue.
A year goes by, the security guy pitches and the second pitch is "Our videos are doing great but we have discovered that people really hate that it takes three clicks to change their preferences on page layout. We want the 5 engineers to tweak the portal pages to make customization easier and we'll add a frictionless ad portal where they can just click on a product that appears and it will order it for them."
The updated portal gets the 5 engineers.
Now they are at a due diligence meeting with a potential suitor who discovers that millions of passwords were breached and later compromised because for years they knew they were using an insecure way of storing them but had not done anything about it. This materially affects what they consider the 'value' of the company to be.
The challenge is that if the security guy is really good the customers don't "see" anything, just their password is better protected than it was, and future projects start with strong password management systems. So from the people visiting the web property "nothing" changes. From the executive planning group's perspective they have spent 5 precious head count on a feature that they will have no way of "reporting" its success either in their own resumes or to their bosses. Kittens and better click through? Easy to measure and report and you can point at dollars in the bank as the benefit.