It happens all the time — weekly, if not daily.
A customer approaches us and tells us that part of their mandate is to ensure their development teams are trained and able to protect against security vulnerabilities. Their budget, however, is either minimal or controlled by another department in their organization.
With application security gaining more and more visibility worldwide, we continue to ignore the importance of building a culture of security from the foundational level. How can we expect our development teams to “just know” when we aren’t providing them with the tools necessary to do their jobs?
Securing a budget for training can be difficult. Many times, it involves multiple people across multiple departments with widely varying opinions. The more red tape, the harder it is to gain buy-in for security awareness training.
We have witnessed first hand the benefits of proactive rather than reactive training. Here are some tips on how to persuade and secure funding for something that is increasingly becoming more vital to your organization’s success.
Use facts to secure budget for security awareness training
Proactive training has a lower cost than reactive recovery. We’ve all heard the saying, “do it right the first time,” and when it comes to developing secure applications, this holds extra true.
According to WhiteHat Security, the average website has 23 vulnerabilities, 13 of which are serious, and 48 percent of which will eventually get remediated. The average time it takes to remediate these vulnerabilities is 200 days. Needless to say, if training can help development teams eliminate vulnerabilities from the start, the whole organization will save a lot of time, headaches, and ultimately money.
If you’re fighting for a larger training budget, you can argue that you are saving your organization money by training your developers to avoid potential security risks. The table below by IBM shows that it is 100 times more expensive to fix a defect after it has been released than during the design phase.