Post on 19-Mar-2020
© 2017 Synopsys, Inc. 1
Created by Marketing Team
March 30, 2017
3 Steps to a Successful Board-Level Conversation about Your Application Security Needs
Get Your Board to Say “Yes” to Managed
Security Services
© 2017 Synopsys, Inc. 2
Why consider managed services?
It is a cost-effective, efficient way to get...
• A pool of top-level experts to find and fix vulnerabilities throughout your portfolio
• Resources that provide elastic capacity at a predictable budget
• Customized read-outs with security and development staff to improve performance
• Consistent, transparent reporting to demonstrate return on investment
© 2017 Synopsys, Inc. 3
Why board buy-in is important
• To help leaders make decisions about budget and priorities
• To get resources you need to manage your application security initiative
• To gain support throughout your organization
• To demonstrate the impact of your work on business goals
• To give your team the reputation they deserve
© 2017 Synopsys, Inc. 4
Assumption
You’ve already convinced your board they should care about software security.
© 2017 Synopsys, Inc. 5
Step 1
Communicate with the board in business terms, not technical terms.
© 2017 Synopsys, Inc. 6
“More than half of corporate directors say they are
‘not satisfied’ with the information they receive from
management on cybersecurity and IT risk.”
© 2017 Synopsys, Inc. 7
Boards can’t influence what they don’t understand
• Most boards have no cybersecurity experience.
• They have limited time and a crowded agenda.
• They don’t respond to technical jargon.
So…
You must describe the business context for managed security services to get board buy-in.
© 2017 Synopsys, Inc. 8
How managed services match business goals
• Return on investment
• Cost savings
• Faster time to market
• Competitive advantage
© 2017 Synopsys, Inc. 9
Step 2
Prepare for questions the board will ask.
(Keep going to see example questions)
© 2017 Synopsys, Inc. 10
Question 1
How will investing in managed security services impact our business?
© 2017 Synopsys, Inc. 11
Your board-friendly answer
• A managed services partner lets us extend our efforts without a heavy investment in new
technologies or additional headcount.
• This approach to software security would help our customers, partners, and investors feel
confident doing business with our company.
© 2017 Synopsys, Inc. 12
Question 2
How will a shift to managed services impact how we are currently
managing cyber risk?
© 2017 Synopsys, Inc. 13
Your board-friendly answer
• We will be able to manage risk more efficiently across the entire portfolio—every application,
software project, software security defect, and data asset.
• We will have more resources, which will enable us to guide every software project through a
secure development lifecycle.
• We will have access to the tools and expertise we need to apply more advanced defect
discovery techniques for high-risk applications.
• We will be able to record every security test, result, and remediation step to continually
improve.
© 2017 Synopsys, Inc. 14
Question 3
How will using managed services impact our budget?
© 2017 Synopsys, Inc. 15
Your board-friendly answer
We evaluated resource options and have a solution that gives us the most value for a
cost-effective, consistent budget.
HARD COSTS SOFT COSTS
• Cost of hiring application security experts
• Cost of licensing security testing tools
• Cost of training staff
• Time it takes to find experts
• Time it takes to get new staff up to speed
• Number of applications each staff can test,
and at what depth
• Stress of managing changing testing volume
or emergency situations
• Opportunity cost of other projects that internal
staff are not able to tackle
© 2017 Synopsys, Inc. 16
Question 4
How will we measure return on our investment?
© 2017 Synopsys, Inc. 17
Your board-friendly answer
Managed services gives us greater value for less cost. How will we know?
• We will see fewer security vulnerabilities that must be fixed in production and QA stages
because they will be addressed earlier in the development cycle.
• We will analyze metrics per technology stack, per business unit, and per software project type
to see areas of risk, identify patterns, and reward improvements.
© 2017 Synopsys, Inc. 18
Metrics that really matter to the board
• Percentage of applications reviewed and signed off, indicating an acceptable level of security
• Percentage of software projects that go through a secure development lifecycle
• Percentage of security bugs that reoccur in application development
• Percentage of security bugs that have been fixed within the recommended time
© 2017 Synopsys, Inc. 19
Make your metrics make sense
It’s essential that you provide context when explaining the metrics you capture. For example...
Don’t just say: We found nine critical bugs this month.
Instead, add context:
• This was expected because we just rolled out a new defect discovery capability.
• This is considered acceptable because the bugs were found in development, before production.
• Remediation tasks have been assigned and it looks like the bugs will be fixed within the
recommended time.
© 2017 Synopsys, Inc. 20
Question 5
How will managed services support our aggressive development schedule?
© 2017 Synopsys, Inc. 21
Your board-friendly answer
• Security testing will be matched to our development cycle, working within sprints and testing
windows.
• Because our testing team will always be available, we will get back security test results faster
than before.
• We will be able to remediate issues in step with the development process.
© 2017 Synopsys, Inc. 22
Question 6
How will using a managed service help us keep up with what our peers are
doing to minimize risk?
© 2017 Synopsys, Inc. 23
Your board-friendly answer
• Working hand-in-hand with a team of software security experts will help our staff learn the
latest techniques to create secure code and remediate vulnerabilities.
• We will benefit from our managed service partner’s aggregated experience and best practices
based upon years of working with multiple companies across a wide range of industries.
© 2017 Synopsys, Inc. 24
Step 3
Make sure you have a resource plan that satisfies
your board’s questions.
© 2017 Synopsys, Inc. 25
The right managed services partner helps you
give your board the answers it needs.
(and regulators, shareholders, and customers too).
Get Started with Managed Services
© 2017 Synopsys, Inc. 26
Thank You