When it comes to application security, I’ve yet to meet an IT or security professional who hasn’t struggled with getting – and keeping – management on board. The challenges of executive support for security initiatives know no boundaries. Getting management on your side with application security can be a constant battle, what can you do about it?
From the smallest of cloud service provider startups with no security maturity to the largest of corporations with well-established information security programs, financial and political support for security is often fleeting at best.
Why is this? Year after year, we not only see application security-related breaches in the headlines, but the challenges are underscored by numerous studies. Application security is a problem that needs attention.
Any reasonable person would think that the negative consequences associated with not properly supporting security over the long-term just aren’t worth it. Well, it’s not that simple. There are some core human communication and belief issues at play here that are at the root of why getting management support for security can be difficult.
We can look at many areas of society and see similar challenges. Certain automobiles have poor safety ratings, yet people still drive them. We know the solution to type 2 diabetes, yet it’s as great a problem as ever. Bring political correctness into the discussion on many of society’s issues and nothing gets resolved.
<< Read more: 7 Reasons Why You Need an AppSec Champion on Your Side >>
Application security is no different. In many cases, either people see what they want to see or, worse, they don’t want to hear about it if it does not impact them directly. Ignorance is bliss.
If you’re going to obtain – and, just as importantly, keep – the necessary support for your ongoing application security initiatives, there are several key things people in IT, security, and software development keep doing wrong:
- They don’t make themselves known. They stay hidden in their cubicles with little to no interaction with decision-makers. I’ve done this before and it ended with me getting laid off. A blessing in disguise but a tough lesson nonetheless.
- They don’t share with management what they’re doing and what they’re finding. This is especially important for application security assessment results. Keep them out of sight and they’re going to remain out of mind. That’s exactly what you don’t need.
- They’re not creating a compelling case. They say that security is important without explaining why.
- They’re not staying in touch. It’s one thing to touch base with management once or twice and then go back into hiding. It’s quite another to foster the relationships and visibility long-term. This is critical.
It’s these things that I’m witnessing time and again that keeps that wedge driven between management and application security. The simple solution: stop doing these things! Instead, focus on how you can build yourself and your program up in all of these areas and do it over and over again indefinitely.
Dr. Phil McGraw once said, “If I’m going to sell Bill what Bill buys I’d better see things through Bill’s eyes.” Management needs to be able to assess what you’re proposing (or struggling with) related to application security and understand how it fits in with their goals.
Remember, it’s not all about you. Nor is it just about IT, security, or software development. You have to frame everything you discuss in terms that management will not only understand but that they can buy into for the greater good of the business.
Why isn’t secure application development a standard in all organizations? The main reason? Because we’re human – and humans make mistakes. Developers, testers, security experts alike – we can all stand to do more towards helping improve security in our respective organizations. One of the best ways to improve is to learn from our mistakes. Learn more by reading “Secure Application Development: Avoiding 5 Common Mistakes ”