You are here

How to get management buy-in for application security tools

public://pictures/Jaikumar-Vijayan-Freelance-Writer.png
Jaikumar Vijayan, Freelance writer

Recent mega data breaches, compliance requirements, and evolving threats have made security a board-level concern and spurred greater corporate spending on it. However, getting management buy-in for application security spending can be tricky because of a lack of commonly accepted metrics for demonstrating the tangible business benefits that can result from it.

Gartner pegged worldwide information security spending at $75.4 billion in 2015, an increase of 4.7 percent compared to the year before. While some of that increased spending has no doubt trickled down to application security, overall spending on it remains somewhat low. In a UBM Tech survey of 187 IT professionals, sponsored by Hewlett Packard Enterprise, 37 percent said their organizations spent barely 10 percent of their IT security budgets on securing applications in 2015. About one-third claimed to spend between 10 percent and 20 percent.

At the same time, the risk posed to organizations from insecure and improperly protected web, mobile, and cloud applications has grown sharply in recent years. WhiteHat Security’s recently released Web Applications Security Statistics Report showed that a majority of applications have between one and two serious vulnerabilities on average. That survey also showed that IT companies take a staggering 250 days on average to remediate vulnerabilities, while retail companies take 205 days.

However, efforts to shore up application security and implement more secure development practices are being impeded by a lack of management buy-in in nearly six out of ten organizations, the UBM survey found.

TechBeacon spoke to leading analysts to round up four ways to make your case stronger when pitching for application security dollars.

[ Get up to speed fast on the state of app sec and risk with TechBeacon's new guide. Plus: Get the 2019 Application Security Risk Report. ]

Making the case for spending on application security

Somewhat encouragingly, many organizations appear to realize the importance of increased investments in application security. Nearly half (45 percent) of the respondents in the UBM survey said their organizations planned to increase investments in application security over the next 12 months in areas such as vulnerability reduction in proprietary, open-source software, and, to a lesser extent, penetration testing and code reviews.

1. Talk up the cost benefits

When making a pitch for application security spending, highlight the costs of not spending enough time or dollars on it. Security is frequently seen as a drag on software development processes, especially in an era of DevOps and continuous development methodologies. Security teams often lament how the rush to meet customer demands for new applications and functionality result in software being shipped to production without adequate testing for security vulnerabilities.

It’s important for security groups to make clear that “the risk of not doing application security exceeds the total lifetime revenue stream or benefit from the app,” said Richard Stiennon, chief research analyst at IT-Harvest.

“Every justification used to invest in developing an app has to be weighed against all of that benefit, and then some, being erased with one bug that could have been prevented with good app security.” —Richard Stiennon, IT-Harvest

One common recommendation from analysts is to use publicly available information about data breaches to demonstrate how much it would cost your organization in money, time, reputation, and lost business opportunities if you experience a similar security incident. If possible, and if the information is available, use examples of breaches at application environments that are similar to yours.

It’s important to highlight the fact that catching security vulnerabilities during development is considerably less expensive than finding and fixing them in production, Stiennon said. “A good tool, like a code spell checker, can prevent stupid mistakes at close to zero cost,” Stiennon said. “Fixing a bug in testing is very expensive. Fixing a bug in production is exponentially more.”

Use publicly available information about data breaches to demonstrate how much it would cost your organization in money, time, reputation, and lost business opportunities if you experience a similar security incident.

2. Have a seat at the table

Having someone from security involved with the business and IT development team right from the start of a project is a good way to convey the value of application security practices to management, said John Pescatore, director of emerging security threats at the SANS Institute.

Typically, it is the business side that drives application development at many organizations. Business owners decide what applications they want and the features they would like to see in those applications, while IT develops and manages the apps for them. It should be the security organization’s responsibility to help the business and IT organization identify risks and ways to manage and mitigate them through the entire product development lifecycle, Pescatore said.

It is important to identify practical controls for managing risks in a manner that is business-friendly and yet supports the organization’s governance, risk management, and compliance program. “What are the most critical controls to make the auditors happy? What are the things you should focus on first? How do you ensure basic security hygiene? What do you have in your procurement language and software contracts?” Pescatore said.

By working with business units to drive information security advancement and manage risk appropriately, security organizations can raise awareness of the application security function and engender broader management buy-in for it, he said. If your IT organization has an established governance standard that it follows such as Control Objects for Information Technology (COBIT) or the Capability Maturity Model (CMM), use those standards as justification for increased spending on application security.

[ Take a deep-dive with our Application Security Trends and Tools Guide, which includes TechBeacon's 2019 App Sec Buyer's Guide. ]

3. Demonstrate ROI

Spending on application security controls does not directly translate to increased revenue, so it can be hard to demonstrate a return on investment, at least in the conventional sense of the term. This is especially true because security is dependent on a variety of hardware, software, process, and personnel factors, and it can be extremely challenging to isolate one component when computing ROI.

But the fact is, ROI metrics do not always have to be financial, Pescatore said.

“ROI can be in savings. ROI can be in business benefits, more reliability, or more code reuse.” —John Pescatore, SANS Institute

There are several factors you can use to show management return on security investment. For example, the National Vulnerability Database Common Vulnerability Scoring System (CVSS) offers a generally accepted way of estimating the magnitude of the damage if a particular vulnerability were exploited in your environment. It is easy to tailor the system so you can arrive at high-level damage estimates that are specific to your organization.

Similarly, statistics are publicly available on how much organizations in your industry and of comparable size are spending on IT, what proportion of their overall revenues that spending represents, and how much is being spent is on application security. See how your organization’s spending stacks up against the others, as a proportion of your overall revenues and IT spending and also in comparison to your risk profile.

Such analysis can show whether your organization is spending too little, too much or the right amount on application security.

4. Demonstrate efficiency and effectiveness

Talk up the benefits of paying more attention to application security from an efficiency and effectiveness standpoint, said Pete Lindstrom, an analyst with IDC. “Efficiency is doing more things and doing it at a lower cost, and effectiveness is reducing attack surface and reducing vulnerability density [in your code],” he said.

Show, for instance, how an investment in application security can potentially help identify and address vulnerabilities in code earlier in the development lifecycle and therefore get the application to production in quicker fashion. The cost to fix a vulnerability and the time required to fix are two efficiency metrics that he noted are good to reference when justifying application security investment to management.

When using such metrics, though, it is important for security organizations to emphasize that the goal in identifying and closing vulnerabilities earlier in the production cycle is not to eliminate risk altogether, but to manage it in better fashion.

“[Most organizations have a] very, very poor understanding of risk and security at the application layer. There is no strategic thinking around this idea that you should try to understand the attack surface and then predict the number of vulnerabilities so you can create a spectrum and scale to work with." —Pete Lindstron, IDC

What's the best approach for getting management buy-in for going all in on application security? Share your wins, big or small.

[ Get Report: Gartner Magic Quadrant for Application Security Testing 2019 ]