Looking for Executive Support for

Your Software Security Journey?

6 strategies for a successful executive-level conversation

Gaining executive support for security is not easy

More than 50% of

corporate directors are “not

satisfied” with information

they receive on cyber risk. - KPMG

66% of companies say

senior IT executives report

on security to the Board

“only occasionally.”- Spencer Stuart

60% of IT and security

leaders say information

they provide on cyber risk

is NOT actionable. - Osterman Research

12% of CISOs include no

metrics at all in their reports

to senior executives.- SearchSecurity

Software security is one of many

competing priorities.

How can you build support for a

successful journey?

Strategies that set you on the

right path

6

STRATEGY 1Get executive attention

Explain why software security is essential

• The vast majority of security vulnerabilities – up to 90% –

are found in applications.

• Half of software vulnerabilities stem from bugs within

code, half from flaws in architecture and design.

• Finding and fixing security defects is more efficient and

less costly the earlier it happens in the development

cycle.

Align your message with business priorities

• Classify applications according to business risk.

• Revenue

• Customer satisfaction

• Business continuity

• Competitive advantage

• Sensitive data

• Clarify upcoming regulations or contractual obligations

for applications that require special attention.

• Explain that investment in application security will

improve your overall risk profile.

Estimate savings of moving security “left” in the SDLC

Cost of Fixing Vulnerabilities

EARLY

Cost of Fixing Vulnerabilities

LATE

StageCritical bugs

identified

Cost of fixing

1 bug

Cost of fixing

all bugs

Critical bugs

identified

Cost of fixing

1 bug

Cost of fixing

all bugs

Requirements $139 $139

Design $455 $455

Coding 200 $977 $195,400 $977

Testing $7,136 50 $7,136 $356,800

Maintenance $14,102 150 $14,102 $2,115,300

Total 200 $194,400 200 $2,472,100

Identifying the critical bugs earlier in the lifecycle

reduced costs by $2.3M.

STRATEGY 2Aim for high ground

Identify your current position and your future vision

Low Maturity High Maturity

Security checks just prior to

software release.

Security checks integrated within

development.

Irregular, superficial scans. In-depth, business-logic testing.

Patch after product release,

operations fail or breaches are

discovered.

Defects fixed before products

are approved for release.

Go with a group on a well-traveled path

• Compare your software security strategy to others.

• Show executives how other organizations prioritize

resources to reduce risk.

• Identify areas in which your organization lags behind.

STRATEGY 3Recognize danger

Expose the gaps in your security strategy

• Which high risk applications are developed and released

without security testing?

• What types of attacks may be escaping your assessment

tools?

• Which security defects persist in code coming from your

development team or partners?

Estimate how your spend is balanced with your risk

0%

5%

10%

15%

20%

25%

30%

35%

40%

Network Security Application Security

Total spend

Security risk

Overspend

Underspend

Risk data from Ponemon, state of risk-based security management 2013

Explain what holds you back from making more progress

If you need more application security skills, you aren’t alone*.

0

10

20

30

40

50

60

70

80

90

100

What types of skills are you seeking to add to your organization?

In-house Consultant Cloud services

*SANS

STRATEGY 4Count your steps

Show your results MORE or LESS

• MORE applications reviewed and signed off, indicating an

acceptable level of security.

• MORE software projects that go through a secure

development lifecycle.

• MORE security bugs are fixed within the recommended time.

• LESS security bugs that reoccur in application development.

• LESS time to remediate security vulnerabilities.

Draw a map that is easy to follow

• Use a consistent framework for measurement.

• Provide visual representations so your audience can

focus on priorities.

• Show previous results alongside current results to

demonstrate progress.

Pace yourself

• Prepare executives for the time it takes to develop

software security expertise and demonstrate success.

STRATEGY 5Bring friends

Avoid congestion on the trails

Before you talk with the executive team…

• Ground your analysis in the business strategy of the

company, so you can prioritize applications that matter

most.

• Create an alliance with development leaders so they feel

confident software security activities will accelerate,

rather than impede, their work.

STRATEGY 6Pack smart

Come prepared with solutions to present

Q: How would you invest in building the software security skills of your internal team?

A: Choose a training approach that fits your budget and schedule.

Q: How can you get support to improve the breadth and depth of your security program?

A: Find a managed services partner with software security expertise.

The right software security partner

helps you give your executive team the

answers it needs.

(and regulators, shareholders, and

customers too).