Effective security operations (SecOps) obviously don’t generate revenues; instead they prevent potentially catastrophic harms, which remain hypothetical and hard to quantify unless they come to pass.
Whereas a bestselling product wins acclaim, the breach averted because a vulnerability was found and patched goes unnoticed.
In this sense, security – like taxes or insurance premiums – is often seen as “a cost of doing business”.
And this cost is rising as attack surfaces grow and threat actors become more sophisticated. Moreover, while CISOs’ burgeoning workload is well documented, it seems that developer workloads and therefore development costs are also rising because of security requirements.
Hidden costs of DecSecOps
A 2024 report from market research firm IDC on ‘The Hidden Cost of DevSecOps’ highlighted this problem:
- Organisations were spending more than $28,100 per developer, per year for security tasks such as manual reviews and context switching
- Developers on average estimated that 19% of their weekly working hours were spent on security-related tasks
- Developers estimated that the number of hours they spent on security had increased by nearly two hours per week, year on year
Even with AI tools supercharging their productivity amid ever-more demanding release cycles, devs are also still spending an average of 3.6 hours a week addressing unexpected security issues outside of normal working hours – with all the adverse consequences for work-life balance and job dissatisfaction that might bring. This also reflects a reactive rather than proactive approach to security.
The key to boardroom buy-in
Recent research has meanwhile suggested that while share prices reliably fall following disruptive cyber-attacks, these are often short-lived and less severe than you might expect.
Might such findings, allied with the fatalistic sense that cyber-attacks are unavoidable, make it harder to secure necessary increases to security budgets?
CISOs will certainly not be complacent about what’s at stake as they grapple with stringent new regulations, backed by the threat of enormous fines and even the spectre of them being held personally liable.
But it’s clear that security strategies and tooling that minimise development costs and disruption will strengthen their ability to secure buy-in from the boardroom.
To ease the security burden on developers, IDC has urged IT and software development team leaders to automate repetitive and time-consuming tasks, and ensure DevSecOps tools deliver accuracy with minimal false positives, integrate seamlessly with existing workflows, and offer clear, actionable insights for addressing security issues without unnecessary complexity.
Tackling the root causes of vulnerabilities
Bug Bounty Programs offer countless benefits – not least continuous testing and finding vulnerabilities missed by pentests – but among the most unsung is the opportunity to reduce the number of vulnerabilities that exist in the first place.
Vulnerability remediation increases developer workloads. Bug Bounty offers an opportunity to create a virtuous circle whereby devs can leverage vulnerability reports to learn how to avoid a recurrence of similar issues in the future. Consider how Orange France, a YesWeHack customer since 2019, intentionally leaves vulnerabilities reported by hunters on internally-accessible dummy websites, for its employees to discover and learn from.
As for remediating vulnerabilities that do appear in your code, our platform can help your SecOps function reduce time-to-fix with:
- Standardised, actionable reports with easy-to-understand Proofs of Concept (PoCs), remediation recommendations, and descriptions of exploitability and potential impact
- Triagers and hunters available to answer follow-up questions from developers and security teams
- Risk-based prioritisation of the most critical vulnerabilities and less time wasted on false positives or low-impact issues
- Integrations with tools like Jira and ServiceNow streamlines remediation workflows and makes it easier to track bug status and adhere to resolution targets
CONTACT OUR SALES TEAM to BOOK A DEMO of our Bug Bounty service and to find out more about how your organisation can supercharge vulnerability discovery, reduce time-to-fix and facilitate secure development practices.