Want your application security program to succeed? Get your boss on board. You need your CISO’s buy-in, and not just for scanning or pen testing a few business-critical apps – but for building a mature, robust program that secures every application the organization builds, buys or assembles. Here’s why:
Reason 1: You need your boss to be a champion for your program with the C-team
You need a C-level application security champion (such as your CISO) in order to get the entire executive team’s buy-in. This champion needs to understand why a mature AppSec program is critical and be able to talk intelligently about it to the rest of the C-team on their terms – meaning, less talk about static and dynamic analysis and more talk about the bottom line.
Beyond the technology or technical details of the program, make sure your boss understands, and can talk to his or her peers about:
- The benefits of a mature AppSec program to the organization.
- How the assessment cycle will speed up development and reduce the cost of remediating vulnerabilities post-production.
- The risk that vulnerabilities in the application layer pose to the organization, and how reducing this risk will ultimately save the company money and time.
Reason 2: With the C-suite on board, you’ll get the support you need from other departments
If you have support for your application security program from the executive team, other departments in the organization will be compelled to participate and support the program as well. Application security is unique in that it affects the work routines of many different departments in your organization. If these departments don’t understand and embrace the changes brought about by your program, you’re stalled. For instance, the development team can be the biggest barrier to the success of the program, because if they do not follow the protocol set forth by the program plan, you won’t be able to demonstrate the value of the plan.
Reason 3: C-suite support means you’ll be able to scale your program
Ultimately, the more support the application security program has from the C-suite, the more likely the security team will be able to scale the program to cover the entire application layer over time. The end goal needs to be a mature, robust application security program that secures every application at your organization, regardless of origin. It’s not enough to secure only the applications you build or only the business-critical ones. Recent high-profile and costly breaches have stemmed from non business-critical third-party applications and open source components. Your organization isn’t truly secure unless your application security program can assess every application, with the ability to scale as your organization expands and changes.
A Few Conversation-Starting Stats
Bottom line: Make sure you’ve got the right people on board to ensure your application security program has a chance. And start with your boss; here are a few stats to help get the conversation started:
- Compared to Q1 2015, Q2 2015 saw a 17.65% increase in distributed denial of service (DDoS) attacks targeting the application layer. - Akamai’S Q2 2015 State of the Internet Security Report
- In 2014 alone, there were eight major breaches through the application layer, resulting in more than 450 million personal or financial records stolen.
- 60% of a typical enterprise application portfolio comes from third parties, yet 90% of third-party code does not comply with enterprise security standards, such as the OWASP Top 10. – According to Quocirca and Veracode’s State of Software Security Report
- Veracode’s analysis of more than 5,300 enterprise applications uploaded to its platform over a two-month period found that components introduce an average of 24 known vulnerabilities into each application. – Veracode’s State of Software Security Report
For more details on getting buy-in for your application security program, check out our guide, Cracking the Code on Application Security Buy-In.