It looks like “We got hacked!” is the main reason why companies, whatever their size is, start worrying about web security.

Yes that’s true, running a penetration test or reviewing the security of a website is not free.
So why would companies become interested in web security when everything goes just fine?

For many people the return on investment of security spendings is not really obvious.
Like buying an insurance, investing in security will not directly reward you, but will mitigate risks that could be very, very harmful for the company, and for end-users!

Just like many people start reinforcing the security of their house or apartment after a break-in (of their own house or a neighbor’s one), companies start investing in security after a breach event occurred on their own systems, or when someone they know or someone in the same industry encounters such a disaster.

A very human behavior, I guess.

illustration bouche à oreille

Reasons why companies start investing on web security

So, what other reasons than “we got hacked” push companies to have their web applications go through a penetration test, or to hire IT security people?

After a few research on the subject, we can find the following key motivators:

  • compliance obligations
  • customer requirements
  • partners requirements
  • community awareness of security risks

And of course, “reasons” not to invest in security are numerous:

  • Lack of understanding/knowledge of security risks
  • Prioritization of new developments over security
  • Lack of budget, even if a part of the team is aware of risks and would like to fix vulnerabilities
  • Affected code is not directly maintained by the company (third party code)
  • The fix would break the workflow, or would be in conflict with a business case or user journey
  • The compliance to a specific standard that has been adopted by the organization does not require to fix a specific vulnerability.
  • Risk acceptance

“Risk acceptance” is unfortunately a way to hide a lack of knowledge or the ability to really assess how big the risk is. Some people say the risk is acceptable, and just cross their fingers, without really knowing whether or not the door can be left open…

Around 2/3 of internally developed web applications are untested for security vulnerabilities. If all hackings were known (at least to their victims!) and disclosed, the statistics would be much better.