AppSec Becomes A Priority For New CISOs/CSOs: Recommendations For The First 100 Days
With digital transformation as a top concern for many organizations today, application security (AppSec) is more important than ever for CISOs/CSOs. Newly hired leaders must account for AppSec from the very start, and should assemble a comprehensive and strategic vision for software security in their first 100 days. While this may seem overwhelming, a new management guide from Contrast Security can help security leaders discern a way forward.
Security—and Applications—Are Increasingly Critical
The role of CISO/CSO has not been around for that long. The world’s first CISO was appointed just 25 years ago, and many organizations have had this role (hereafter referred to as simply the CISO) for a decade or less. But even though they were once viewed as back-office technologists, the increasing importance of cybersecurity means that CISOs are now an integral part of corporate strategy. As a result, most are now peers of the CIO, often reporting to the CEO or even the board of directors.
When new CISOs are appointed, they come into the role with a lot of pressing priorities. Increasingly, AppSec is—or should be—high on the list. As one writer puts it, “[Applications] have become the business imperative, the key conduit to customers, and the essential business enabler.” As a result, AppSec is front of mind for executive teams hiring new security leaders. “I would say that AppSec has been the number one priority for clients seeking CISOs over the past 12 months,” says André Tehrani, partner at Recrewmint, Inc., an executive search firm specializing in digital security and privacy.
But where do new CISOs start when it comes to AppSec? Contrast Security’s new management guide, “AppSec for the Newly Hired CISO/CSO: Recommendations on How to Assess Application Security in the First 100 Days,” provides a framework for the first 100 days that can set the stage for long-term success.
Getting the Lay of the Land
External hires for CISO positions must make quick work of learning about the company’s culture, its IT infrastructure, its risk profile and tolerance, and the competitive landscape. One common mistake is to depend too much on peer executives and the cybersecurity leadership team for these perspectives. This can be a problem even for CISOs who are promoted from within and think they already know all about the organization. While the official view from leadership is important, rank-and-file employees often know more about how things really get done in the organization and can provide insight into how to sell needed initiatives to the organization at large.
In addition to this basic organizational insight, it is critical that the new CISO has a complete understanding of what applications exist in the enterprise, how they are used, and what the current AppSec program looks like. If they are lucky, new CISOs may find relatively mature AppSec programs in place, but more often they will not. Following are some questions that an incoming CISO could ask the AppSec and DevOps security teams:
Risk Assessment
- Does the InfoSec team have full visibility across the application attack surface?
- What is the risk tolerance of the organization related to application vulnerabilities?
- What percentage of applications are being reviewed in terms of risk tolerance?
- Are certain applications at higher risk than others?
Vulnerability Management
- Are developers frustrated with current AppSec processes because they cause release delays or other inefficiencies?
- Are developers skipping security protocols because they are under pressure to meet time to market?
- Is the executive team pressuring developers to bypass security processes? Is the organization having problems scaling DevOps because of security gates?
- Are specialized security experts required to deal with AppSec? Or can developers find them and remediate them without additional assistance?
- Are false positives creating additional work for the security team?
- Are developers overwhelmed in terms of alert fatigue caused by false positives?
Operational Efficiency
- Are developers frustrated with current AppSec processes because they cause release delays or other inefficiencies?
- Are developers skipping security protocols because they are under pressure to meet time to market?
- Is the executive team pressuring developers to bypass security processes?
- Is the organization having problems scaling DevOps because of security gates?
- Are specialized security experts required to deal with AppSec? Or can developers find them and remediate them without additional assistance?
- Are false positives creating additional work for the security team? Are developers overwhelmed in terms of alert fatigue caused by false positives?
Establishing Relationships
Newly hired CISOs no longer have the luxury of simply retreating to the server room and working on technology. Everyone is now a stakeholder in the cybersecurity program, and human behavior is an important element of whether an organization is effectively protected. As a result, new cybersecurity leaders need to establish and nurture relationships across the organization from the beginning. As Sean Walls, VP and CISO at Visionworks of America, says, “Building a strong and effective professional relationship takes time and effort. It shouldn’t be one sided, but rather a balanced relationship, established on trust and mutual benefit.”
With DevOps Security and Development
New CISOs will especially want to get off on the right foot with the development and DevOps security teams, the primary stakeholders of any application security initiatives on the horizon. It is important for them to understand the responsibilities around AppSec. Who owns it—security or development? If development owns it, then what is security’s role? If security owns it, what is development’s role?
The CISO should get a feel for how well the two teams collaborate. If the relationship is terse, is it because the use of legacy AppSec technologies creates inefficiencies and security risks that frustrate both sides? Whatever the current situation or the historical context, it is critical that the new CISO figure out a way for these two teams to perform their jobs without impeding one another.
With the Larger Organization
It is also important to partner closely with other groups on AppSec (among other security issues). The product, sales, and marketing teams likely depend on internally developed applications to do their jobs effectively, so they have a vested interest in ensuring that these apps are delivered securely. CISOs can gain valuable insights from the groups that develop a company’s products and bring them to market—about the preferences of customers and lessons learned in trying to connect with them. These relationships can also aid in building critical mass for needed AppSec investments and for awareness campaigns highlighting the importance of software security.
Other necessary allies include the compliance, audit, and legal functions, which view AppSec through the lens of the company’s larger risk management portfolio. Speaking of the legal department specifically, Brian Glas, assistant professor of Computer Science at Union University, believes a good relationship is essential. “They need you and you need them,” Glas asserts. “It’s critical for a CISO to understand the legal perspective and potential benefits and ramifications for decisions made in the security realm. This team also keeps tabs of new regulations that may be coming, eliminating surprises for the CISO.” Working directly with these groups—rather than parallel to them—can result in a more secure organization.
Prioritizing Application Security
AppSec was not among the CISO’s top areas of focus in past years, but the increasing importance of applications to a company’s bottom line means that it should rank high on the priority list for new CISOs today. Verizon’s latest Data Breach Investigations Report found that 43% of data breaches this past year were the result of a web application vulnerability—a figure that more than doubled over the previous year.
Nor has the importance of AppSec been diminished by COVID-19. In fact, it is arguably more important as many companies have accelerated their digital transformation initiatives as buyer preferences move toward digital channels. A study conducted by OpsRamp, which was conducted after stay-at-home orders began, finds that 61% of IT and DevOps leaders expect to accelerate their digital transformation initiatives and projects compared with earlier plans—with 58% also increasing spending. And nearly two-thirds of these initiatives fall into the areas of Agile and DevOps. If anything, AppSec will be more important in the coming months and years.
It is critical that the CISO work with the development team to align their shared vision and goals with overall company goals—and the organization’s risk tolerance. Vulnerabilities must be prioritized according to risk and remediated according to the potential damage they could cause. CISOs would benefit from a Software Assurance Maturity Model (SAMM) assessment to determine the organization’s overall AppSec maturity level, set the next several phases of goals, and measure everything with a dashboard.
Quick Wins
Quick wins at the beginning of a leader’s tenure help set the table for long-term success. Incoming CISOs can work with their teams to achieve benchmarks like these in the first 100 days:
- By day 30, a complete application inventory, if one is not already available. This data source should include information about the importance to the business of each application and the cybersecurity risk it poses.
- By day 60, a policy gap analysis and SAMM assessment. These formal reviews assess the maturity of the AppSec program and how complete the formal AppSec policies are.
- By day 100, a complete AppSec roadmap. By this time the CISO should be familiar with past successes, and can plan to build upon them to advance the program’s maturity.
Internal Comms
The importance of clear communication to different parts of the organization is often overlooked by new CISOs. It is especially important with a complicated topic like AppSec. “I always tell clients that they should look for CISOs that have sales and marketing skills,” Recrewmint’s Tehrani asserts. “These skills will help them craft internal communications that help regular employees understand the importance of things like AppSec.”
The reality is that even developers who have a deep understanding of the technology that powers applications are not security experts—and they do not want to be. Other employees across the company—including executive management and the board in most cases—know even less. CISOs and their team must communicate to these groups in a way that is accessible to nonspecialists—and relevant to their role.
To Company Leadership
Effective communications with the board and executive team can result in critical support and resources that help the new CISO better protect the enterprise. Communications should be framed in the language of business rather than security, and company management should hear about how security efforts can be constructed in such a way that developers experience fewer security-related delays rather than more of them. As Visionworks’ Walls asserts, “[P]resent your current application security posture in a solution-focused way, emphasizing the actions you are taking to improve your security posture and reduce risk, rather than saying, ‘the sky is falling.’”
To Employees
As for rank-and-file employees, effective communications can actually change the security culture of the organization—for the better. The new CISO should ensure that AppSec is included in the cybersecurity awareness program, and that employees feel heard when they air concerns about security initiatives—such as how security processes impede their work. Communications should not rely on geek-speak or techno-talk, but should describe the problems—and potential solutions—in plain language.
To Developers
The CISO should have regular contact with the development team and its leadership, so formal communications to the whole team should confirm what the development team already understood—rather than surprising them. More than anything, developers want to be reassured that security protection is not going to slow their work further. And they will be ecstatic if you communicate that security-related delays to coding will be eliminated.
A Marathon Rather Than a Sprint
The new CISO is not competing in the 100-yard dash, but is rather running a marathon. While the first mile of a marathon might seem uneventful to the spectator, getting off to a good start is critical to optimum performance for the entire race. Newly hired CISOs should move at a deliberate but steady pace, building a strategy that will meet the test of time. When security is done well, it not only protects a company’s assets but also enhances its brand.
For more information, download the full management guide, “AppSec for the Newly Hired CISO/CSO: Recommendations on How to Assess Application Security in the First 100 Days.”
Contrast Marketing
Loving our content? Subscribe now!
Get the latest application security news, trends, tips and insights content from Contrast directly to your inbox. By subscribing, you will stay up to date with all the latest and greatest from Contrast Security.