getting executive support for a software security program
TRANSCRIPT
Looking for Executive Support for
Your Software Security Journey?
6 strategies for a successful executive-level conversation
Gaining executive support for security is not easy
More than 50% of
corporate directors are “not
satisfied” with information
they receive on cyber risk. - KPMG
66% of companies say
senior IT executives report
on security to the Board
“only occasionally.”- Spencer Stuart
60% of IT and security
leaders say information
they provide on cyber risk
is NOT actionable. - Osterman Research
12% of CISOs include no
metrics at all in their reports
to senior executives.- SearchSecurity
Software security is one of many
competing priorities.
How can you build support for a
successful journey?
Explain why software security is essential
• The vast majority of security vulnerabilities – up to 90% –
are found in applications.
• Half of software vulnerabilities stem from bugs within
code, half from flaws in architecture and design.
• Finding and fixing security defects is more efficient and
less costly the earlier it happens in the development
cycle.
Align your message with business priorities
• Classify applications according to business risk.
• Revenue
• Customer satisfaction
• Business continuity
• Competitive advantage
• Sensitive data
• Clarify upcoming regulations or contractual obligations
for applications that require special attention.
• Explain that investment in application security will
improve your overall risk profile.
Estimate savings of moving security “left” in the SDLC
Cost of Fixing Vulnerabilities
EARLY
Cost of Fixing Vulnerabilities
LATE
StageCritical bugs
identified
Cost of fixing
1 bug
Cost of fixing
all bugs
Critical bugs
identified
Cost of fixing
1 bug
Cost of fixing
all bugs
Requirements $139 $139
Design $455 $455
Coding 200 $977 $195,400 $977
Testing $7,136 50 $7,136 $356,800
Maintenance $14,102 150 $14,102 $2,115,300
Total 200 $194,400 200 $2,472,100
Identifying the critical bugs earlier in the lifecycle
reduced costs by $2.3M.
Identify your current position and your future vision
Low Maturity High Maturity
Security checks just prior to
software release.
Security checks integrated within
development.
Irregular, superficial scans. In-depth, business-logic testing.
Patch after product release,
operations fail or breaches are
discovered.
Defects fixed before products
are approved for release.
Go with a group on a well-traveled path
• Compare your software security strategy to others.
• Show executives how other organizations prioritize
resources to reduce risk.
• Identify areas in which your organization lags behind.
Expose the gaps in your security strategy
• Which high risk applications are developed and released
without security testing?
• What types of attacks may be escaping your assessment
tools?
• Which security defects persist in code coming from your
development team or partners?
Estimate how your spend is balanced with your risk
0%
5%
10%
15%
20%
25%
30%
35%
40%
Network Security Application Security
Total spend
Security risk
Overspend
Underspend
Risk data from Ponemon, state of risk-based security management 2013
Explain what holds you back from making more progress
If you need more application security skills, you aren’t alone*.
0
10
20
30
40
50
60
70
80
90
100
What types of skills are you seeking to add to your organization?
In-house Consultant Cloud services
*SANS
Show your results MORE or LESS
• MORE applications reviewed and signed off, indicating an
acceptable level of security.
• MORE software projects that go through a secure
development lifecycle.
• MORE security bugs are fixed within the recommended time.
• LESS security bugs that reoccur in application development.
• LESS time to remediate security vulnerabilities.
Draw a map that is easy to follow
• Use a consistent framework for measurement.
• Provide visual representations so your audience can
focus on priorities.
• Show previous results alongside current results to
demonstrate progress.
Pace yourself
• Prepare executives for the time it takes to develop
software security expertise and demonstrate success.
Avoid congestion on the trails
Before you talk with the executive team…
• Ground your analysis in the business strategy of the
company, so you can prioritize applications that matter
most.
• Create an alliance with development leaders so they feel
confident software security activities will accelerate,
rather than impede, their work.
Come prepared with solutions to present
Q: How would you invest in building the software security skills of your internal team?
A: Choose a training approach that fits your budget and schedule.
Q: How can you get support to improve the breadth and depth of your security program?
A: Find a managed services partner with software security expertise.