Jun 23, 2016
Application security affects everyone in your organisation. To make your latest initiative as effective as possible, it’s important to communicate this to key departments, and help them understand the role they play in application security.Development and security teams will likely be your first port of call, but to achieve organisation-wide buy-in, there are 3 other crucial departments you need to engage.
1)Convince the Executive Team
Simply put, an effective application security program starts from the top down, and the sooner you can get an executive mandate, the better.For the most part, the C-suite won’t be interested in the technical details of the latest vulnerability: they’ll care about cold, hard cost. Whether it’s the costs of a data breach, impacting the organisation’s reputation, or the costs of spending hours of skilled developer time on remediation, executives will want to understand the bottom line of your application security initiative.By communicating the anticipated time and financial savings of the initiative, you can bring the executives on-side. In doing so, you can work wonders for the efficacy of application security as a whole: visible support from the organisation’s senior team stresses the importance of appsec throughout the organisation, and encourages all teams and departments to understand the role they play in security.
2) Involve the Procurement Team
Not all application vulnerabilities come from the software you develop. Large organisations rely on dozens, sometimes hundreds of pieces of third-party software, used across different teams and departments. Often, it’s the security (or lack thereof) of these applications that introduces vulnerabilities.The procurement team play an important role in vetting vendors and agreeing service levels, so it’s important to help them understand the crucial role they play in ensuring security:
- Preventing Shadow IT. Poor communication with the procurement team can sometimes lead individuals and teams to take matters into their own hands, and source, install and use an unverified piece of software. This practice (known as Shadow IT) introduces a huge amount of risk, so it’s vital that the organisation’s employees understand the proper channels to go through to source new software.
- Identifying secure (and insecure) vendors. Procurement can contribute to application security whenever they review contracts and SLAs for new software, looking out for the red flags associated with insecure software vendors.
3) Work with the Legal Team
The legal team, above all else, speak the language of risk. Though application security isn’t something they’ll be familiar with, risk mitigation is a much more tangible concept, so it’s important to help them understand how your security standard will reduce the organisation’s risk – and explain how they can help.It’s good practice to regularly security test third-party applications, and it’s always helpful to involve the legal team to ensure your testing doesn’t contravene any of the vendor’s existing legal agreements. It’s also important to facilitate security conversations between legal and procurement: if you’re trying to help procurement negotiate better application security as part of a third-party vendors SLA, it’s important for the legal team to be involved in the discussion.The same principles apply when you’re acting as the software vendor: the legal team will need to help you develop the language and tone of your own security policy, SLAs and contract documents.