The bottom line on corporate decision-making comes down to the bottom line. It’s critical to demonstrate value for any new or expanded initiative. Fall short, and your odds of success are greatly diminished.
How do you build the financial case for more robust AppSec, when the focus is on the impact to the bottom line? The key is understanding how to effectively design and present a budget that makes sense to your stakeholders. A crucial element is to recognize that stakeholders need options and choices. By breaking down your budget into categories such as “must do,” “should do,” and “could do,” you’ll greatly increase the odds of securing the budget you need. It’s a lot harder to say no to several different options than to one plan and one number.
You most likely have a range of priorities within your AppSec initiative that you’d like funding for – the must do, should do, and could do activities you and your team want to execute. If you break down your “ask” into these three categories, you give your stakeholders options regarding what they can approve. For example, you might offer the following budget options:
Must: We must comply with industry regulations regarding AppSec. Whether it’s PCI, HIPAA, or NY DFS cybersecurity regulations, non-compliance is not an option, and getting budget to address regulations shouldn’t take much convincing.
Should: We should assess code with static analysis, eliminate all “high” or “very high” severity flaws, and train developers on secure coding. Getting at the most-likely-to-be-exploited vulnerabilities and cutting down on the new vulnerabilities being introduced into your code is a good place to start.
Could: We could employ multiple testing techniques beyond static analysis and eliminate the “medium” severity flaws as well. Ultimately, static analysis is a good starting point, but truly effective AppSec requires several testing types that find different vulnerabilities in different ways, including dynamic analysis, software composition analysis, and manual penetration testing.
The right frameworks can help guide you through this budget breakdown. For instance, the Veracode Verified program provides best-practice AppSec roadmap you can use to show a clear path forward. It can also help you break down the must/could/should items. The ability to show progress and defend your budget is essential to getting the backing your need from key executives. You also don’t want to stall at the “must” budget, but show a path toward the most effective and efficient AppSec program.
After breaking down your budget to give stakeholders options, you can create urgency around the spend by finding an event or series of events that demonstrate the seriousness of the issue. This includes data about code vulnerabilities, incidents, and breaches, and what direct and indirect costs grow out of these events. For example, British Airways was recently fined £185 million for its data breach.
In addition, highlight efficiencies gained by your program. For example, demonstrate how an integrated and automated program will free staff from cumbersome and time-consuming processes, or how teams will be able to better focus on innovation.
Finally, a good foundation for any business case is industry stats or benchmarks. Consider adding these data points into your pitch. You can find some in our State of Software Security report or consider the OpenSAMM model.
Ultimately, any presentation should deliver only the most relevant points in a digestible format. Busy executives want to know whether a project will have a positive impact and what that positive impact will be. In order to become an effective change agent, keep your proposal and budget request limited to a half a dozen key points, and be sure to focus on the issues that matter to specific executives.
Remember, a robust AppSec program is a multi-year endeavor, and keeping the funding stream flowing is critical. In order to do this, budget requests must be tied to metrics, KPIs, and other measures. You must demonstrate ongoing success and show results in real-world ways that truly matter to business leaders and your enterprise. With buy-in from key stakeholders, your odds of obtaining essential funding and support are high. And that, in the end, is a formula for a more secure enterprise.
For more details on making the case for AppSec budget, see our new guide, Building a Business Case for Expanding Your AppSec Program.