We recently conducted our first annual software security survey and are in the final stages of publishing. In the survey, we asked a broad range of questions, mostly targeted to see how seriously companies take software security threats by asking them what types of practices they have in place and how much time and effort they put into it. What we found was that one-third of the respondents either had no responsible person in their organization for software security or they didn’t know if they did.
You might consider it similar to Nassim Taleb’s Black Swan probability applications to the financial markets and many other events in nature. Much of his work and fortune are based on the assessment of very low probability catastrophic events, like the Great Recession. Yes, he predicted the great recession and made a killing. How did he do that? Mostly with probabilistic modeling that was contrary to most other financial advisors. He said that if you have a catastrophic event that will kill you, then even if the probability is very low, you cannot ignore it and must give it special attention. Now, back to software security. Most organizations either don’t care, are worried but don’t do anything, or perhaps don’t prioritize monies to be allocated for software security (training, coding practices, testing, tools, etc.) because they think it is a very rare Black Swan event that they will get hacked or have a breach. But the truth is, that is not true. Based on our survey, we found that fifty percent of the respondents had some sort of security breach, with half of those breaches affecting their end customers.
The bottom line is that when there is a very low probability of a catastrophic event (such as a security breach in your software or network where you could face large financial losses or even go out of business), you can’t simply apply the normal distribution and average it away in the tails of standard deviation. What does this mean? Invest up front and focus on identifying potential software security threats before you end up in the news. It’s not as low probability as you think it is, and even if it is, it could kill you if it happens. Stay tuned for our complete software security survey analysis report!