By all accounts, it appears to be a typical Friday afternoon for the application security team. Your plans include clearing out pressing projects to end the week, returning critical emails and calls and leaving the office at a reasonable hour for the first time in forever.
Then you’re greeted by the familiar beep of your instant messaging system. Your CISO has requested that you present at an organizational security meeting with C-level executives on Tuesday morning, leaving you just one business day for meeting preparation.
As you wipe a bead of nervous perspiration from your brow, you realize this might not be the easiest management meeting of your established career. You need to convey to the executive team that application security is a growing area of risk for your business, but internal funding and resource allocation has lagged significantly behind funding for more mature solutions such as network security.
From their perspective, no news has meant good news, but you will need to inform them that your organization has been living on borrowed time. How can you convey this to your company’s leaders? What key concepts do they need to know? How do you know what the most important areas to cover are?
10 Critical Findings from the Ponemon Application Security Risk Management Report
While there’s much to be learned from the paper, here are 10 critical findings from the IBM-sponsored Ponemon Institute study “State of Application Security Risk Management Report” that you can leverage in C-level discussions. We present these findings, as well as some recommendations, below.
1. Security Professionals View the Application Layer as Extremely Vulnerable
Although organizations have traditionally concentrated security spending on the network layer, the 630 respondents to the recent risk management survey actually named the application layer as the most vulnerable. When asked to allocate a total of 100 points across various IT layers based on their level of potential risk, respondents allocated 32 points to the application layer, 25 points to the network layer and 17 points to human negligence. The data, physical and operating systems layers were allocated even fewer points by respondents.
Even though your organization’s budgeting process may not have caught up with it, application security is a critical concern for your team to address, both now and in the future.
2. Application Security Risk Is Growing
Not only did survey respondents consider the application security layer to be the most vulnerable, but 47 percent of them said application security risk is increasing or significantly increasing. Another 40 percent of respondents said risk is remaining the same. Why would that be?
Immature application security initiatives in many organizations aren’t effective at combating risk. Additionally, the proliferation of new and updated applications can introduce new vulnerabilities into ambitious product release environments that are fed by end-user demand for fresh versions and functionality. In fact, 56 percent of respondents stated that the pressure to release new applications quickly was a significant barrier to making their security posture as effective as possible.
Application vulnerabilities represent risk vectors that cannot be ignored. As the number of applications that your company releases grows, the situation will only become worse — especially if it isn’t addressed immediately. You must take action now.
3. Executives Underestimate Application Security Risk
You are not alone: 60 percent of survey respondents confessed that their management teams underestimate potential application security risk, which jeopardizes their ability to be fully effective at combating it. But the stark reality is that you rely on executive management for budgetary support and project prioritization.
View your upcoming meeting as an opportunity to educate executive management about the threat posed by application vulnerabilities and help them understand the value of effective application security. Share information with internal colleagues who are engaged in development and security functions and externally with your peers to spread your new knowledge.
4. A Vast Majority of Organizations Don’t Know Which Applications and Databases Are Active
Amazingly, a whopping 69 percent of respondents stated that their organizations don’t know all the databases and applications that are currently active. How can applications be protected if no one knows what they are, who owns them or where they reside?
The executive management team can help you with this. Recommend that a cross-functional, cross-geographical workflow be created to document all of your current applications, their version numbers, their owners and how their vulnerabilities are remediated. Consult IBM’s complimentary risk management e-guide for best practices about establishing a risk management program at your business.
5. Most Businesses Don’t Conduct Application Security Testing Throughout the Development Life Cycle
A miserly 14 percent of respondents stated that their organizations conducted application security testing throughout the development life cycle, while 46 percent of organizations admitted that they take no steps at all to test for application vulnerabilities. That’s akin to leaving a retail store unattended with the front door wide open.
It’s become common knowledge that testing throughout the development life cycle reduces remediation costs and lowers the likelihood of potential data breaches. You need to reiterate to the executive management team that application security testing is a mission-critical requirement that needs financial support.
Come armed to your meeting with actual examples of data breaches that originated from application vulnerabilities such as SQL injection and cross-site scripting, as well as their impacts to companies in your industry.
6. More Than One-Third of Businesses Don’t Perform Application Security Testing
Yes, you read that correctly. Even though practically every organization utilizes internal or external applications to conduct business with its employees, customers and contractors, 35 percent don’t perform any of the following testing techniques:
- Static application security testing (SAST);
- Dynamic application security testing (DAST);
- Interactive application security testing (IAST); or
- Mobile application security testing.
Enlighten your executive team on how security controls can help protect your organization’s brand image and even prove to be a competitive differentiator. Explain that inadequate application security protection can put you at risk for cyberattacks, which could expose your privileged data and quickly diminish your brand’s market value.
7. Organizations’ Risk Management Initiatives Are More Operational Than Strategic
Survey respondents ranked minimization of downtime and minimization of business disruption as the top objectives of their application security risk management initiatives at 69 percent and 63 percent, respectively. Compliance with regulations and legal mandates was also high, hitting 62 percent. However, attack prevention and brand protection were ranked much lower: 23 percent and 21 percent, respectively.
Obviously, the operational concerns outlined above are critical to your success, but you have more personal control over those factors. In your meeting, you should strive to obtain strategic support from the management team since you have much less control over issues such as brand protection and project funding prioritization.
8. Organizations Don’t Allocate Sufficient Resources to Address Application Security Risk
It should come as no surprise that 70 percent of respondents said their organizations don’t allocate sufficient resources to ensure that business-critical applications are secure.
This is your opportunity to reframe executive management’s thinking so they view application security as an investment in their brand rather than as a cost center. Demonstrate how long it’s taken high-profile organizations that have been breached to recover financially and restore their good names in the marketplace.
Remind them that an investment in automated application security software can markedly improve your team’s productivity and its ability to focus on the most significant vulnerabilities.
9. Most Organizations Rate Their Ability to Curtail Security Exploits in Software Applications as Below Average
In the Ponemon Institute study, only 25 percent of organizations rated their ability to stop or curtail security compromises and exploits as highly effective. However, 46 percent of organizations rated their ability to address security compromises as highly ineffective.
These findings should come as no surprise considering the lack of leadership attention and organizational resources that are being directed at application security. They offer you the opportunity to demonstrate your effectiveness in managing security vulnerabilities to your management team as you adopt a risk management-based approach and track your progress in industry-recognized testing tools such as IBM Security AppScan.
If your company doesn’t have a formal application security testing program in place, we recommend that you pilot programs in divisions of your business that have been particularly open to accepting new security initiatives.
10. Application Security Funding’s Expected to Grow
Here’s the silver lining: Application security spending is expected to grow from 18 percent of the organization’s total IT budget today to approximately 23 percent of the organization’s total IT budget in the next 12 months.
Request increased application security funding in your next quarterly budget cycle as executive management becomes more aware of its importance. Remind the management team that the best data breach is the one that you — and your customer base — never experience.
To Learn More
These key findings, takeaways and recommendations should provide you with the baseline content you need to conduct a successful meeting — while still sleeping like a baby the night before.
You can download a complete copy of the Ponemon report to learn more about these 10 findings and more of the study’s results. And make sure to watch the corresponding video “Leverage Ponemon’s Application Security Risk Management Study to Jump-Start Your AppSec Program,” which spotlights the study’s results.
You can also download a complimentary copy of Ponemon Institute’s more recent “2017 State of Mobile & Internet of Things (IoT) Application Security” study now.
Chairman and Founder, Ponemon Institute
Major Events Content Strategist for IBM Security