Selling senior-level executives on any new concept can often feel like a trek up a mountain with a 60-pound pack on your back. So, how can you take your application security program to a new and better level with less effort? You focus on what’s really important: getting the right message to the right audience in a language they speak and connect with. Because when people hear things in terms that matter to them — and there’s persuasive evidence on hand — they stop resisting and even embrace the change.
But sending one message to the multiple leaders involved in a decision-making process is a mistake. Refining your message appropriately by focusing on the information relevant to each group will help you build credibility, more effectively communicate your vision, and more easily gain buy-in. It’s an approach that extends far beyond AppSec, but it has particular relevancy in this space.
Any successful salesperson understands that it’s easier to close a sale when you communicate selling points that really matter to your audience. The same holds true when you are “selling” AppSec internally. Your success hinges on understanding your strategic arc over the course of months and years, establishing metrics and KPIs that demonstrate your progress, and connecting all of this to tangible benefits for the people who hold the purse strings and can greenlight your initiative, and whose support you need for the successful implementation and administration of your program.
You can gain the support you need by building a basic business case for the key groups in your organization, and ensuring that each stakeholder receives the specific information they need in words, figures, and graphics they understand. Whether it’s showing them how your AppSec program cuts costs, scales up efficiencies, fuels your DevOps strategies, or improves the company’s overall trust with business partners and customers, hitting the target matters. It’s crucial to document actual problems and incidents, and then use company data to support your case.
Here are six key ways to gain C-suite executive buy-in for AppSec:
Ultimately, anyone selling an AppSec program to their organization’s top decision-makers should take the time to identify risk benchmarks as compared to their industry peers — and what these mean in both practical terms and actual dollars. A focus on real-world issues and results, tied to what matters for specific stakeholders, can significantly boost your odds of success.
For more information about how to promote AppSec, check out our new guide, Building a Business Case for Expanding Your AppSec Program.