Security departments are juggling a multitude of security initiatives, and each is competing for a slice of one budget. How do you make the case that AppSec deserves a slice of that budget pie, or a bigger slice, or even to make the pie bigger? Here are a few key ways:
The most obvious compelling event, of course, is a breach, but there are other events that will compel executives to budget for application security. For instance, regulations could be a compelling event – if you have to comply with a security regulation (PCI, NY DFS cybersecurity regulations, etc.) or pay a fine, that’s an easy budget win. In addition, customers asking about the security of software could be a compelling event. IT buyers are increasingly asking about the security of software before purchasing. We recently conducted a survey of IT buyers with IDG, and 96 percent of respondents reported that they are more likely to consider doing business with a vendor or partner whose software has been independently verified as “secure.” Sales losing a deal because they couldn’t respond to a security audit would certainly be considered a compelling event.
A clear road map and plan for your AppSec program not only gives you more credibility, but also helps to “warm up” your investors to what you’re planning on doing in future years. Show the efficiencies and risk reduction your program will make in the future to highlight how upfront investment will lead to future results. For instance, an investment in developer training will make developers more self-sufficient and lessen the burden on security teams.
It can be powerful to illustrate where your organization’s security program sits relative to other organizations and your peers. If you're lagging, it’s a clear indication that further investment is needed. If you're leading, you can use that fact to prove your progress and make the case for more ambitious projects.
Veracode’s State of Software Security is a good benchmarking resource, as is the OpenSAMM framework. The State of Software Security report includes comparisons by industry, so you can point to the application security progress made by others within your own industry. In addition, OWASP’s Application Security Verification Standard (ASVS) can help organizations to classify applications into three different levels from low to high assurance. This helps firms to allocate security resources based on the software’s business importance or risk breach.
Speak the language of executives when making the case for more budget. For instance, telling the CFO, “we've reduced the number of SQL injections” won’t resonate. Rather than the number of SQL injections, talk about how the program will reduce the number of breaches by X percent, or how it will reduce the cost to fix vulnerabilities by X percent. Be mindful of your audience and frame your budgeting conversation accordingly.
The more credible you are, the better your chances of getting the budget you’re asking for. Clearly understand what you're going to do with the money, and how you're going to justify that spend. Prove that you understand how your organization works and that you will use the money effectively. Finally, tie application security to business priorities and initiatives, and be able to show a clear roadmap for your program.
In addition, be visible. It's important to promote success of your program. Present on the progress you’re making, run awareness sessions, or have visible dashboards.
You’ll have a range of priorities and things that you could be spending money on in your AppSec program. Give your budget stakeholder options. Start with what you must do – for instance, what you need to achieve for regulatory compliance. And then give them some wiggle room in the middle on projects that they should or could do. If you go in with a number in mind and don't get it, be ready to slice and dice your budget request.
Get more details on these strategies and additional tips and advice on making the case for AppSec budget in our new guide, Building a Business Case for Expanding Your AppSec Program.