Rough Calculation. Or How I Got Offended When Vendors Are Demanded Quality Applications
Recently I was at a meeting of a telegram channel dedicated to mobile app security. There were many vulnerabilities and light jokes from mobile app developers who let raw apps through to release (raw from a security point of view).
Let's assume that we decided to fix the situation. Some developers expressed a desire to learn security, the management of the vendor company quickly found an employee for the role of devSecOps, testers on the product mastered cross-competencies in the direction of static analysis. At whose expense is the holiday? At the expense of the end consumer, of course. But do end consumers need it at such a price? The question is complex and depends on how much money the consumer has. I decided to tackle this issue in the niche of information security.
For those looking for easy ways, there is a wonderful study from the Center for Strategic Research Foundation on the cybersecurity market of the Russian Federation with the formation of a forecast for its development for the period 2023-2027. It is quite easy to google, but the calculation methods are not disclosed. And it does not answer my main question – does the customer have money to buy my application?, the quality of which I will prove through a bug bounty. And what if I also certify the backend according to the 21st order of the FSTEC? How much money does the average customer have for my product?
Let's approach this issue from above – let's choose where we will aim with our safety. From the first thing that came to mind:
Big business
Medium business
Small business (which includes microbusiness, according to the Federal Law of July 24, 2007 N 209-FZ)
Why not big business?
Large businesses have huge profits and are often their own vendors of information security systems. That leaves small and medium businesses.
Small Business Discoveries
It so happened that in the environment there is a part of system administrators who shared the information security processes within their companies. Saving on everything, priority on the operability of systems and promptness of requests like “the mouse does not work” or “the printer does not print”. But they make backup copies, I respect that. It is clear that this is only the experience in the companies of my acquaintances, but these conclusions were enough for me to target medium-sized businesses.
What about medium-sized businesses?
Since we decided to act from above, we need to understand how many such companies there are in the Russian Federation. The tax service with its wonderful register of small and medium-sized businesses will help us here. As of 24.07.2024, the situation in medium-sized businesses is as follows:
And here I had my first doubts. There was no publicly available data on medium-sized businesses and total income. Ok, in the document “ON THE LIMITS OF INCOME RECEIVED FROM BUSINESS ACTIVITIES FOR EACH CATEGORY OF SMALL AND MEDIUM BUSINESS ENTITIES” we are given the income range that is set for medium-sized businesses. From 800 million to 2 billion rubles. However, there are exceptions here, for example, the possibility of being considered a medium-sized business not by income, but by the number of employees. Plus, there are areas where there is very little IT – the same dance studios and gyms. Statistics are getting worse and require additional detail. At the same time, I already want to share the numbers at the next meeting of pentesters.
Let's go Va-Bank. We are looking for an answer to the question: “What percentage of income will be spent on IT services?” A wonderful study comes to the rescue: “Security in the clouds and beyond: a study-forecast for CISOs for 2024” from the Yandex Cloud team and the DRT company. According to it, companies allocate on average 15% of the budget from IT to cybersecurity needs.
It only remains to find at least some clue to the size of the IT budget of medium-sized businesses. Such a clue was found in the study of the Russian cloud technology market by cloud.ru. According to 650 respondents surveyed in October-December 2022, medium-sized businesses spend 10.1 million rubles on clouds. At the same time, there is a mention that for medium-sized businesses this level of expenses is about 13% of the annual IT budget. We get approximately 77.7 million for IT, of which 15% of the budget is for information security. Almost 12 million for information security per year. We take the Habr-career and see how much is the average for information security employees. As of April 2024, this figure was equal to 220 thousand. Plus various insurance premiums with a coefficient of 1.5, we get almost 4 million per year for one security officer.
We get the conclusion that the average business can barely afford an employee for the role of a security specialist, and even more so pay for my bug bounty and FSTEC certification. Let's assume that one security specialist for about 200 people is still not bad, but this poor guy will have to justify in every budget how my “quality” application for information security will help the business. And give answers to the question – like, why do we bother at all, when you can buy a cloud solution without certificates and bug bounty, saving a lot of money on this? It's better to invest this in marketing, it will be more useful.
Well, we found the numbers we needed, I will definitely discuss them with colleagues at the next meeting. I wish you that your information security is approved many times easier than that of the poor guy from our example, and that money for certified systems is always available and allocated 🙂
List of assumptions
The budgets of the companies were from those that use the clouds, and for 2022. Perhaps now there is much more money
There is no data on how many employees the average business has in the information security department
The move away from a focus on small businesses was based on responses from two respondents
