Copy-of-Copy-of-versus

Great Ways to Get Management on Your Side with Application Security

May 23, 2016 By Kevin Beaver

When it comes to application security, I’ve yet to meet an IT or security professional who hasn’t struggled with getting – and keeping – management on board. The challenges of executive support for security initiatives know no boundaries. Getting management on your side with application security can be a constant battle, what can you do about it?

 

From the smallest of cloud service provider startups with no security maturity to the largest of corporations with well-established information security programs, financial and political support for security is often fleeting at best.

 

Why is this? Year after year, we not only see application security-related breaches in the headlines, but the challenges are underscored by numerous studies. Application security is a problem that needs attention.

 

Any reasonable person would think that the negative consequences associated with not properly supporting security over the long-term just aren’t worth it. Well, it’s not that simple. There are some core human communication and belief issues at play here that are at the root of why getting management support for security can be difficult.

 

We can look at many areas of society and see similar challenges. Certain automobiles have poor safety ratings, yet people still drive them. We know the solution to type 2 diabetes, yet it’s as great a problem as ever. Bring political correctness into the discussion on many of society’s issues and nothing gets resolved.

 

<< Read more: 7 Reasons Why You Need an AppSec Champion on Your Side >>

 

Application security is no different. In many cases, either people see what they want to see or, worse, they don’t want to hear about it if it does not impact them directly. Ignorance is bliss.

 

If you’re going to obtain – and, just as importantly, keep – the necessary support for your ongoing application security initiatives, there are several key things people in IT, security, and software development keep doing wrong:

 

  1. They don’t make themselves known. They stay hidden in their cubicles with little to no interaction with decision-makers. I’ve done this before and it ended with me getting laid off. A blessing in disguise but a tough lesson nonetheless.
  2. They don’t share with management what they’re doing and what they’re finding. This is especially important for application security assessment results. Keep them out of sight and they’re going to remain out of mind. That’s exactly what you don’t need.
  3. They’re not creating a compelling case. They say that security is important without explaining why.
  4. They’re not staying in touch. It’s one thing to touch base with management once or twice and then go back into hiding. It’s quite another to foster the relationships and visibility long-term. This is critical.

 

It’s these things that I’m witnessing time and again that keeps that wedge driven between management and application security. The simple solution: stop doing these things! Instead, focus on how you can build yourself and your program up in all of these areas and do it over and over again indefinitely. 

 

Dr. Phil McGraw once said, “If I’m going to sell Bill what Bill buys I’d better see things through Bill’s eyes.” Management needs to be able to assess what you’re proposing (or struggling with) related to application security and understand how it fits in with their goals.

 

Remember, it’s not all about you. Nor is it just about IT, security, or software development. You have to frame everything you discuss in terms that management will not only understand but that they can buy into for the greater good of the business.

 

jumping 1

Why isn’t secure application development a standard in all organizations? The main reason? Because we’re human – and humans make mistakes. Developers, testers, security experts alike – we can all stand to do more towards helping improve security in our respective organizations. One of the best ways to improve is to learn from our mistakes. Learn more by reading “Secure Application Development: Avoiding 5 Common Mistakes ” 

The following two tabs change content below.

Kevin Beaver

Information Security Consultant at Principle Logic, LLC
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 27 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached via his website at principlelogic.com and you can also connect with him on Twitter and on Youtube.

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.