As an Application Security (AppSec) leader, one of the most significant challenges you might face is securing management support for your program. This lack of support often results in under-resourced AppSec teams feeling frustrated and unable to make a meaningful impact.
To foster an environment where your team feels valued and prevents burnout, AppSec leaders must prioritize gaining additional resources.
In many organizations, security tends to climb the priority ladder slowly, requiring AppSec leaders to put in extra effort to secure the necessary approvals. Here are three strategies that can help you win management buy-in and create a better environment for your team.
1. Implement Metrics in Your Security Program
In the lack of metrics, it becomes challenging to identify inefficiencies and tie them to numerically defined risks.
As a first step, metrics can be built off vulnerabilities discovered by security testing tools or pen tests. False negatives will always happen, but since you do not know what you do not know, let’s leave them aside for now.
Some metrics we could use to identify bottlenecks are listed below. Once a bottleneck that leads to increased risk is identified, there is no silver bullet solution. Depending on the internal structure, the solution might be lying in better processes, new tools or more headcount or all of them.
In any case, once metrics are in hand, they provide a firm ground to justify the resources needed to decrease business risk while gaining the trust of management with a data-driven ask that speaks their language.
2. Leverage Metrics to Demonstrate ROI
Metrics point to the root cause of the problems and make it easier to quantify the risks that will be mitigated by extra resources. To build trust with the management team, AppSec leaders should convert problems to risks expressed in dollar values and make sure all of their asks are backed by numbers.
Follow these steps to better leverage metrics:
Assign a dollar value to each vulnerability: The cost of a data breach is estimated to be around $4m these days (https://www.ibm.com/reports/data-breach).
Dividing the total risk of a data breach ($4m) by the number of true positive vulnerabilities will yield the risk associated with each vulnerability in dollars.
Calculate the risk: If 1.000 new true-positive vulnerabilities arise each month and if we can close only 100 of them with current resources, that means our backlog will grow by 900 vulnerabilities every month. Multiply 900 by the dollar value we attach to a single vulnerability on average and we will be able to calculate the increasing business risk each month in dollars. This is a simplistic model just to give a rough idea but the calculation can be altered to factor in different severity categories or other inputs such as vulnerabilities in internet-facing applications.
No matter how complex the calculation is, this amount will help figure out how much resources make sense to mitigate that risk. If we are asking for a new hire that will cost $10K to address a risk of $1K, we will be able to tell it just does not make sense and adjust our demand accordingly.
This approach will go a long way to gain the trust of management and to ensure anything you ask for is taken seriously.
3. Collaborate with Other Departments
Most security teams are criticized for being blockers for creativity and progress.
To change this perception and have support from multiple teams, AppSec leaders need to build rapport with the leaders of other teams in the organization. This is easier said than done but the more we understand their concerns and speak their language, the more support we will have when we raise our voice.
As an example, marketing teams constantly publish landing pages of new campaigns or lead forms which potentially expand the attack surface but also present a good opportunity. Would it not be nice for them to know that those pages and the brand image they worked so hard to build are impenetrable by attackers?
This way of thinking helps dig out potential collaboration areas and offers an excellent opportunity to get support for more resources.While this is a representative example, AppSec leaders need to get creative with finding ways to help other teams in the organization so they can achieve their goals.
In conclusion, gaining management buy-in as an AppSec leader requires a combination of implementing metrics, demonstrating ROI, and collaborating with other departments. By employing these strategies, you can secure the resources your team needs and create a fulfilling work environment.