Application Security is never a ‘one-and-done’ deal. It is ongoing, ever-evolving, and its’ centrality in organizations ever-growing. As technology’s scope and complexity increases, the emphasis on application security needs to grow as well; No matter which stage you are in the maturity model, application security is a constant in your approach.
Be very wary of jumping to the questions ‘so what do I need to buy’ and `how much is this going to cost me (and my CEO/CFO)’. You may not have an easy road ahead, but the key to creating a cost-effective and comprehensive security program is by starting out with a solid foundation of where your application security program has been and an understanding of where you’d like it to head.
The emerging and ever-evolving role of the CISO and the technological landscape has rendered many past programs irrelevant. As more changes in the realm of security – moving services to the cloud, working in agile environments, implementing a DevOps team, etc. – these three steps, based on OWASP’s CISO AppSec Guide for designing an Application Security Program, will help CISO’s in the pre-planning stages of their application security program.
1. Map It Out
The first step towards building a security strategy is connecting the dots between security goals and business priorities. Being in touch with your organizations’ business goals is the basis for a grounded, realistic program and the best approach to eventually communicating your program as a value proposition.
Designing your strategy to be flexible and actionable is essential to its longevity. Plans will be thrown aside if they’re too grand or vise-versa, too structured. Too many critical, moving parts are at risk if the plan isn’t made to be flexible. An eye to adaptability and simplicity at every level will help you build a measurable and long-term program, and tying security goals to business priorities will help you attain that.
2. Assess Where You Are & Where You Want To Go
Where are you now and where do you intend to go in your security strategy? Start building your future by forming a deep understanding of your past and current maturity models and using them to shape the next one. In this way, your program will have a distinct starting point – today.
How mature is your security program and how do you see it advancing in the future? You may have many departments whose responsibilities and security needs differ and overlap; Pinpoint the weaknesses and strengths in your current strategy and start by assessing the security models in each department.
Do you have regulatory requirements and are your current practices sufficient? Have you adopted security into your Software Development Life Cycle (SDLC)? These are areas to assess by utilizing interviews, surveys, and meetings to help you frame your approach.
Identify the gaps and decide what you would need to secure them, and create a vision of mitigating risks with the goal of eliminating threats in a dynamic organization.
3. Establish an Obtainable, Rational Target State to Achieve
At this point, you know where your program stands and have some idea of the maturity level that you wish the program to attain. Now it’s time to sift through all the data you’ve collected and create an obtainable target state using your assessment.
Be true to your organization when creating your target state. Don’t shoot for the stars with lofty goals there’s no possibility of reaching. Your target state needs to be measurable, strategic and within your organizations constraints such as budget and time. You don’t need to be at the peak maturity stage in your program, because it’s just not feasible for everyone.
The Next Step: Communicating Your AppSec Program Strategy To Upper Management
As a CISO, you have one final step to go before you can take action and finalize your program – communicating them to your CEO. By using these starting points as a map for your strategy, you’ll be able to communicate clear points and have an easier time in aligning expectations and getting support.
The phrase “knowing your audience” applies well to how you communicate your program to the higher powers. Putting your strategy in business terms and stressing that while the program may not be a method of profit, it is certainly a safeguard against substantial losses will allow you to communicate the strategy’s worth in a way they will easily be able to understand.
Read more here:
Latest posts by Sarah Vonnegut (see all)
- How Secure is Your Online Banking App? - February 26, 2018
- Top 5 OWASP Resources No Developer Should Be Without - January 9, 2018
- Smart Cities: Can My City be Hacked? - December 11, 2017