As an Application Security (AppSec) leader, one of the most significant challenges you might face is securing management support for your program. This lack of support often results in under-resourced AppSec teams feeling frustrated and unable to make a meaningful impact.
To foster an environment where your team feels valued and prevents burnout, AppSec leaders must prioritize gaining additional resources.
In many organizations, security tends to climb the priority ladder slowly, requiring AppSec leaders to put in extra effort to secure the necessary approvals. Here are three strategies that can help you win management buy-in and create a better environment for your team.
1. Implement Metrics in Your Security Program
In the lack of metrics, it becomes challenging to identify inefficiencies and tie them to numerically defined risks.
As a first step, metrics can be built off vulnerabilities discovered by security testing tools or pen tests. False negatives will always happen, but since you do not know what you do not know, let’s leave them aside for now.
Some metrics we could use to identify bottlenecks are listed below. Once a bottleneck that leads to increased risk is identified, there is no silver bullet solution. Depending on the internal structure, the solution might be lying in better processes, new tools or more headcount or all of them.
In any case, once metrics are in hand, they provide a firm ground to justify the resources needed to decrease business risk while gaining the trust of management with a data-driven ask that speaks their language.
- Triage Percentage: This metric is helpful for identifying potential bottlenecks in the triage process. If 10% of new vulnerabilities can be triaged each month, 90% of reported vulnerabilities are not assessed to be real threats or not. If the problem is not solved, either the backlog will grow, which will deteriorate security posture over time or developers will need to deal with untriaged vulnerabilities in the remediation stage, which will most likely create more friction with development teams.
- Missed SLAs: SLAs determine the acceptable time frame to fix true-positive vulnerabilities and serve as a grace period after discovering vulnerabilities. Calculation of SLA starts at the remediation stage in some organizations whereas it starts at the discovery of a vulnerability in others.
Depending on how SLA is calculated in the organization, a deteriorated metric can be a sign of extra resources needed in the triage or remediation stages.
- Burn-down: Burndown metric helps understand how many new true-positive vulnerabilities are introduced vs. how many of them are getting closed.
If the gap is growing, it is worth digging deeper to understand if it is a resource or process problem.
- Time to first response: Time to first response indicates how long it takes to assess whether a reported vulnerability is a real threat or not. If the metric is higher than you’d expect, you might potentially have a resource problem in the triage team or a productivity problem. If developers are actively involved in the triage process, you might also want to investigate deeper.
- Time to first action: Time to first action indicates how long it takes for a developer to start working on a vulnerability assigned to them. If the metric is higher than you’d expect, there might be a problem with planning the inclusion of vulnerabilities in development sprints.
- Time to resolution: Time to first action indicates the average time developers spend on vulnerabilities between starting to work on a vulnerability and closing it. If the metric is higher than you’d expect, the reason might be the lack of security know-how on how to fix vulnerabilities. Breaking down the metric to vulnerability categories would give you a good idea about what type of vulnerabilities your next training session should focus on.
2. Leverage Metrics to Demonstrate ROI
Metrics point to the root cause of the problems and make it easier to quantify the risks that will be mitigated by extra resources. To build trust with the management team, AppSec leaders should convert problems to risks expressed in dollar values and make sure all of their asks are backed by numbers.
Follow these steps to better leverage metrics:
- Assign a dollar value to each vulnerability: The cost of a data breach is estimated to be around $4m these days (https://www.ibm.com/reports/data-breach).
Dividing the total risk of a data breach ($4m) by the number of true positive vulnerabilities will yield the risk associated with each vulnerability in dollars.
- Calculate the risk: If 1.000 new true-positive vulnerabilities arise each month and if we can close only 100 of them with current resources, that means our backlog will grow by 900 vulnerabilities every month. Multiply 900 by the dollar value we attach to a single vulnerability on average and we will be able to calculate the increasing business risk each month in dollars. This is a simplistic model just to give a rough idea but the calculation can be altered to factor in different severity categories or other inputs such as vulnerabilities in internet-facing applications.
- No matter how complex the calculation is, this amount will help figure out how much resources make sense to mitigate that risk. If we are asking for a new hire that will cost $10K to address a risk of $1K, we will be able to tell it just does not make sense and adjust our demand accordingly.
This approach will go a long way to gain the trust of management and to ensure anything you ask for is taken seriously.
3. Collaborate with Other Departments
Most security teams are criticized for being blockers for creativity and progress.
To change this perception and have support from multiple teams, AppSec leaders need to build rapport with the leaders of other teams in the organization. This is easier said than done but the more we understand their concerns and speak their language, the more support we will have when we raise our voice.
As an example, marketing teams constantly publish landing pages of new campaigns or lead forms which potentially expand the attack surface but also present a good opportunity. Would it not be nice for them to know that those pages and the brand image they worked so hard to build are impenetrable by attackers?
This way of thinking helps dig out potential collaboration areas and offers an excellent opportunity to get support for more resources.While this is a representative example, AppSec leaders need to get creative with finding ways to help other teams in the organization so they can achieve their goals.
In conclusion, gaining management buy-in as an AppSec leader requires a combination of implementing metrics, demonstrating ROI, and collaborating with other departments. By employing these strategies, you can secure the resources your team needs and create a fulfilling work environment.