Information security practitioners know all too well that garnering the support of senior management, can significantly benefit, and advance, their long-term application security objectives for the organization. However, the path to gaining that support is often more challenging and confusing than it should be.
Why should application security be the recipient of genuine management support? Because the world in which organizations do businesses online has drastically changed. Applications now represent the largest footprint for entry and access to our environments and data, yet applications are tested and secured in arbitrary and ad-hoc manners. On the other hand, management still tends to focus on traditional ingress points and place budget and support behind firewalls and other outdated security controls.
The business answer however has proven to be challenging an often confusing. Management’s understanding of the business justification can be expressed in many ways – the key to that expression lies in marrying the justification to the core business of the organization. Competitive advantage tends to not make that list often enough. Customer loyalty built on trust, partner confidence and protection of Intellectual Property are significant competitive differentiators.
Securing management’s commitment to Application Security begins with identifying whom you need to appeal to. Application Security requires long-term commitment, and as such falls under the purview of senior-level executives. Managers below the executive level may perceive these objectives as distractions and diversions of already scarce resources. This perception is in direct conflict with long-term initiatives: focus on lasting cost effectiveness, development cycle-time improvements, customer satisfaction and competitive advantages. These are strategic issues that generally are of the most concern to senior executives. Performance measures of intermediate managers are geared towards immediate short-term goals. Recognize that this is a necessary structure and the inextricably conjoined nature of securing support for Application Security is tied to the long-term success of an organization, which does not diminish the short term success to be achieved by this undertaking or the efforts of those whose responsibility it is to achieve these goals.
Appealing to your audience, once identified, requires an understanding of how your objectives support their current objectives and improves their standing amongst their peers and high-lever managers regardless of its impact on their immediate performance measures. It is at this stage where you need to demonstrate the significant long-term benefits, including how similar initiatives have benefitted other organizations within your industry vertical. Highlighting where your organization stands as compared to others in your vertical is a data point that resonates with your audience.
With the attention of a senior manager, and your data points and value propositions well articulated, achieving management commitment on all levels will garner the desired support. Success at this stage is measured in action. That action may be nominal, but the journey of a thousand miles begins with one step.
About the Author:
As Managing Director, Solutions Architecture at WhiteHat Security, Gabriel drives the evolution of enterprise clients businesses, organizational and internal program development. An accomplished security professional and IT Manager with 14 years of experience spanning multiple disciplines, Gabriel currently focuses his efforts in the world of Application Security.