Five fundamental tips for getting executive buy-in on AppSec

The need for effective cybersecurity programs has never been more apparent. By October of 2021, the number of data breaches leapfrogged the total from 2020 by 17%, and 2021 saw the highest average data breach cost in 17 years – a massive $4.24 million.

Yet, for some organizations, there’s a serious hurdle on the path to establishing effective AppSec programs: getting executive buy-in. The C-suite might not be aware of the risks at hand, or they may think adequate security measures are already in place because they lack deeper insight into processes and tools. And if they’re presented with an expensive plan vacant of intel and strategy, they’re less likely to see the value in forging ahead. 

Demonstrating that advantage is sometimes an uphill battle, especially if you don’t arm yourself with data and clear goals. But through top-down alignment and understanding, arming your team with the resources necessary for building and managing secure web applications is more of a friction-free process. These practical tips will help you get started as you craft your strategy and pitch it to leadership as a way to improve your organization’s security posture. 

1. Get serious about metrics and a measurable strategy

The C-suite cares about numbers and results, so when you’re building a strategy for your AppSec program, it’s important to lean on metrics and measurable goals. Executives will most often focus on brand image and financials; back your pitch up with points about cost savings and public perception around big breaches to speak their language. 

Lean on analytics that underscore current fix rates, remediation times, compliance needs, and false positive prevalence, and then show data that supports how new or upgraded tooling can help alleviate those pain points. For example, did you know that inadequate tooling and processes can mean it takes team members an average of 112 hours to address their current backlog of security issues, or that 1 in 3 flaws make it into production without ever being noticed in the testing or development stages? 

Leadership may not even be aware of the risks around third-party libraries and supply chains, which contribute to attack surfaces. Once they know the industry risks, tie that data back to your own metrics as proof points for areas of concern and underscore how automated tools can help. If you don’t back your strategy with data that leads to a battle plan for improvement, you’re flying blind.

2. Talk their talk so that the plan truly resonates

Not everyone speaks the same language in an organization, especially at the top. The communication gap between security and development is something to tackle on the operational level, but it’s important to translate when making a pitch to the executive team and to focus on what they truly care about. 

So which roles should you target with specifics? It can vary by organization, though topics like fix rate or flaw density are typically best suited for CFOs, CIOs, CSOs, and CISOs. If you have C-level team members with strong engineering backgrounds, speak with them about discovery and remediation times in relation to hitting production goals. For the CEO, CCO, or legal department, focus on strategy and metrics around compliance and regulations to underscore how the organization will hit its marks.

Another good tip is to avoid acronyms and common DevSecOps phrases that might muddy the waters, and incorporate visuals to clarify data when granularity is critical. It’s easier for time-strapped execs to process the information and relay it back to the board when it’s clear, concise, and in line with executive goals. Talk their talk, and the information is more likely to stick in your favor. 

3. Organize your framework to solve a tangible problem

Part of pitching an application security strategy is building a strong framework that incorporates tools, processes, and people. The framework should be clear and tailored to the audience, but how you organize and present the information is also vital. Start by outlining your pain points and objectives, then lead into clear pathways and goals for solving those problems with updated tech stacks.  

Pick low-hanging fruit to start, like a lack of automation leading to time delays, and outline how your AppSec tool of choice plugs right into your software development lifecycle to get you there faster. Also factor in less tangible aspects of your strategy, such as programs and processes. For example, if a security champions program is part of the plan, discuss the format, contributors, benefits, and budget needed to show them how you’ll stand one up. If everything is outlined clearly and tied to problems you know you can solve, making the case is an easier process. 

4. Break your plan out into realistic requests

Your proposal for an AppSec program doesn’t have to – and shouldn’t – ask for the world right up front. Identify the most critical things to the cause and list those as your must-haves, such as a flexible dynamic and interactive web application security testing (DAST) tool that integrates into existing workflows or a developer enablement program that promotes secure coding best practices. 

For your must-haves, relate them back to measurable results: how effective is your ideal DAST tool at reducing risk or improving the accuracy of your testing results? Will it allow you to automate security tasks to save critical time, and is it scalable to help development and security teams manage their workloads? Will a particular tool enable you to see all of your web assets in one clear picture, and does it integrate with other testing tools like IAST for a more holistic approach to security?

Asking yourself these questions and providing executives with the answers is not only a realistic approach, but it will help you decide what you need tomorrow and what you can incorporate into your program down the road. Include your wants and nice-to-haves in the bigger picture, but know where you’re willing to compromise if need be. 

5. Demonstrate the how and the why in real time

If you lay out the groundwork and back it up with metrics but still feel like your proposal isn’t packing a punch, consider demonstrating the problem – and the solution – in real time. Show actual web application vulnerabilities with real-world examples, like an attacker executing malicious scripts in a user’s browser (cross-site scripting) or injecting malicious input into a SQL statement (SQL injection). 

Demonstrating what a dangerous flaw can do to one of your web applications, and ultimately to your brand image, can be eye-opening for leadership. On the flip side, show how application security testing tools can step in to help you find and fix flaws faster. Use a demo to show the process your tool of choice would take the team through to remediate the issue; if you can do so smoothly and demonstrate success, the executive team will be more likely to invest the budget you need.

Getting ahead of your ever-growing attack surface

Cybersecurity programs are flexible, scalable, and measurable at their best, covering as much of the software development process as possible. With lingering security debt and third-party vendor integrations, attack surfaces are often larger than most teams – and executives – think, which is why alignment is so critical. Tailoring your security program pitch to business goals and greater strategy is key for ensuring the C-suite is on the same page about current and potential threats. It helps everyone understand which critical tools and processes are missing from the puzzle. 

Once you have approval and enough budget to run with the key elements of your plan, make sure you relay that ROI up the chain whenever possible. Celebrate the successes of your AppSec program by staying on top of metrics, adjusting to pivot your strategy as needed, and engaging leadership in your victories so that they see the fruits of everyone’s labor. Once you have that synchronicity and understanding in place through executive buy-in, your AppSec program will serve as a foundation for less risk and greater innovation. 

Get the industry insights you need to start building your case by reading the Fall 2021 Invicti AppSec Indicator.