Want your application security program to succeed? Get your boss on board. You need your CISO’s buy-in, and not just for scanning or pen testing a few business-critical apps – but for building a mature, robust program that secures every application the organization builds, buys or assembles. Here’s why:
You need a C-level application security champion (such as your CISO) in order to get the entire executive team’s buy-in. This champion needs to understand why a mature AppSec program is critical and be able to talk intelligently about it to the rest of the C-team on their terms – meaning, less talk about static and dynamic analysis and more talk about the bottom line.
Beyond the technology or technical details of the program, make sure your boss understands, and can talk to his or her peers about:
If you have support for your application security program from the executive team, other departments in the organization will be compelled to participate and support the program as well. Application security is unique in that it affects the work routines of many different departments in your organization. If these departments don’t understand and embrace the changes brought about by your program, you’re stalled. For instance, the development team can be the biggest barrier to the success of the program, because if they do not follow the protocol set forth by the program plan, you won’t be able to demonstrate the value of the plan.
Ultimately, the more support the application security program has from the C-suite, the more likely the security team will be able to scale the program to cover the entire application layer over time. The end goal needs to be a mature, robust application security program that secures every application at your organization, regardless of origin. It’s not enough to secure only the applications you build or only the business-critical ones. Recent high-profile and costly breaches have stemmed from non business-critical third-party applications and open source components. Your organization isn’t truly secure unless your application security program can assess every application, with the ability to scale as your organization expands and changes.
Bottom line: Make sure you’ve got the right people on board to ensure your application security program has a chance. And start with your boss; here are a few stats to help get the conversation started:
For more details on getting buy-in for your application security program, check out our guide, Cracking the Code on Application Security Buy-In.