Selling senior-level executives on any new concept can often feel like a trek up a mountain with a 60-pound pack on your back. So, how can you take your application security program to a new and better level with less effort? You focus on what’s really important: getting the right message to the right audience in a language they speak and connect with. Because when people hear things in terms that matter to them — and there’s persuasive evidence on hand — they stop resisting and even embrace the change.
But sending one message to the multiple leaders involved in a decision-making process is a mistake. Refining your message appropriately by focusing on the information relevant to each group will help you build credibility, more effectively communicate your vision, and more easily gain buy-in. It’s an approach that extends far beyond AppSec, but it has particular relevancy in this space.
Any successful salesperson understands that it’s easier to close a sale when you communicate selling points that really matter to your audience. The same holds true when you are “selling” AppSec internally. Your success hinges on understanding your strategic arc over the course of months and years, establishing metrics and KPIs that demonstrate your progress, and connecting all of this to tangible benefits for the people who hold the purse strings and can greenlight your initiative, and whose support you need for the successful implementation and administration of your program.
You can gain the support you need by building a basic business case for the key groups in your organization, and ensuring that each stakeholder receives the specific information they need in words, figures, and graphics they understand. Whether it’s showing them how your AppSec program cuts costs, scales up efficiencies, fuels your DevOps strategies, or improves the company’s overall trust with business partners and customers, hitting the target matters. It’s crucial to document actual problems and incidents, and then use company data to support your case.
First Things First
Here are six key ways to gain C-suite executive buy-in for AppSec:
- Avoid acronyms and technical jargon. Nothing confuses and distracts business leaders more than the use of unnecessary technical terms.
- Use visuals instead of text. Display risks and potential costs in graphics that clearly illustrate potential losses and damage. Rely on numbers, and especially actual dollar figures, to gain credibility. And be sure to refine your message appropriately for each executive. For example, telling your CFO that you’ve reduced SQL injection vulnerabilities by 30 percent most likely won’t resonate. Your CFO wants to know the actual business value of reducing breaches. The CISO wants to understand how AppSec ties into the overall information security program, and the CIO is concerned with the cost of deliver/service and the cost of downtime. Know your audience’s priorities, and speak their language.
- Forget “features” and emphasize “risks.” Avoid a discussion about specific security products and what they can do —you run the risk of being seen simply as a technologist rather than a strategic partner. Instead, build a case around potential brand damage with industry metrics, benchmarks, and potential costs. Nearly two-thirds of company directors who responded to a Veracode and NYSE Governance Services survey said they prefer high-level strategy descriptions and risk metrics over information about security technologies.
- Identify your organization’s pain points. Find a compelling event, such a recent high-profile security breach, a prospect asking for a security audit, or even a lost sale due to security issues. Present actual data from past incidents to demonstrate how your organization will benefit with AppSec.
- Pinpoint pet projects. Find something key stakeholders have a burning interest in, and make that your focus. For instance, if your organization’s customers are expressing concerns about privacy and security to your customer service reps, and one of your stakeholders is taking the lead on that issue, attach your cause to that issue. Quantifying the extent of the problem and presenting it to your leaders in a way that clearly illustrates how effective your solutions could be will likely sway decision-makers in your favor.
- Focus on dollars. The same survey noted above found that among the 200 directors of public companies across a wide swath of industries who responded, 41 percent cited the cost of brand damage — including cleanup, lawsuits, forensics, and credit reporting costs — as a top concern.
Ultimately, anyone selling an AppSec program to their organization’s top decision-makers should take the time to identify risk benchmarks as compared to their industry peers — and what these mean in both practical terms and actual dollars. A focus on real-world issues and results, tied to what matters for specific stakeholders, can significantly boost your odds of success.
For more information about how to promote AppSec, check out our new guide, Building a Business Case for Expanding Your AppSec Program.