Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our...
Transcript of Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our...
![Page 1: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/1.jpg)
© 2017 Synopsys, Inc. 1
Created by Marketing Team
March 30, 2017
3 Steps to a Successful Board-Level Conversation about Your Application Security Needs
Get Your Board to Say “Yes” to Managed
Security Services
![Page 2: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/2.jpg)
© 2017 Synopsys, Inc. 2
Why consider managed services?
It is a cost-effective, efficient way to get...
• A pool of top-level experts to find and fix vulnerabilities throughout your portfolio
• Resources that provide elastic capacity at a predictable budget
• Customized read-outs with security and development staff to improve performance
• Consistent, transparent reporting to demonstrate return on investment
![Page 3: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/3.jpg)
© 2017 Synopsys, Inc. 3
Why board buy-in is important
• To help leaders make decisions about budget and priorities
• To get resources you need to manage your application security initiative
• To gain support throughout your organization
• To demonstrate the impact of your work on business goals
• To give your team the reputation they deserve
![Page 4: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/4.jpg)
© 2017 Synopsys, Inc. 4
Assumption
You’ve already convinced your board they should care about software security.
![Page 5: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/5.jpg)
© 2017 Synopsys, Inc. 5
Step 1
Communicate with the board in business terms, not technical terms.
![Page 6: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/6.jpg)
© 2017 Synopsys, Inc. 6
“More than half of corporate directors say they are
‘not satisfied’ with the information they receive from
management on cybersecurity and IT risk.”
![Page 7: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/7.jpg)
© 2017 Synopsys, Inc. 7
Boards can’t influence what they don’t understand
• Most boards have no cybersecurity experience.
• They have limited time and a crowded agenda.
• They don’t respond to technical jargon.
So…
You must describe the business context for managed security services to get board buy-in.
![Page 8: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/8.jpg)
© 2017 Synopsys, Inc. 8
How managed services match business goals
• Return on investment
• Cost savings
• Faster time to market
• Competitive advantage
![Page 9: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/9.jpg)
© 2017 Synopsys, Inc. 9
Step 2
Prepare for questions the board will ask.
(Keep going to see example questions)
![Page 10: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/10.jpg)
© 2017 Synopsys, Inc. 10
Question 1
How will investing in managed security services impact our business?
![Page 11: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/11.jpg)
© 2017 Synopsys, Inc. 11
Your board-friendly answer
• A managed services partner lets us extend our efforts without a heavy investment in new
technologies or additional headcount.
• This approach to software security would help our customers, partners, and investors feel
confident doing business with our company.
![Page 12: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/12.jpg)
© 2017 Synopsys, Inc. 12
Question 2
How will a shift to managed services impact how we are currently
managing cyber risk?
![Page 13: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/13.jpg)
© 2017 Synopsys, Inc. 13
Your board-friendly answer
• We will be able to manage risk more efficiently across the entire portfolio—every application,
software project, software security defect, and data asset.
• We will have more resources, which will enable us to guide every software project through a
secure development lifecycle.
• We will have access to the tools and expertise we need to apply more advanced defect
discovery techniques for high-risk applications.
• We will be able to record every security test, result, and remediation step to continually
improve.
![Page 14: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/14.jpg)
© 2017 Synopsys, Inc. 14
Question 3
How will using managed services impact our budget?
![Page 15: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/15.jpg)
© 2017 Synopsys, Inc. 15
Your board-friendly answer
We evaluated resource options and have a solution that gives us the most value for a
cost-effective, consistent budget.
HARD COSTS SOFT COSTS
• Cost of hiring application security experts
• Cost of licensing security testing tools
• Cost of training staff
• Time it takes to find experts
• Time it takes to get new staff up to speed
• Number of applications each staff can test,
and at what depth
• Stress of managing changing testing volume
or emergency situations
• Opportunity cost of other projects that internal
staff are not able to tackle
![Page 16: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/16.jpg)
© 2017 Synopsys, Inc. 16
Question 4
How will we measure return on our investment?
![Page 17: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/17.jpg)
© 2017 Synopsys, Inc. 17
Your board-friendly answer
Managed services gives us greater value for less cost. How will we know?
• We will see fewer security vulnerabilities that must be fixed in production and QA stages
because they will be addressed earlier in the development cycle.
• We will analyze metrics per technology stack, per business unit, and per software project type
to see areas of risk, identify patterns, and reward improvements.
![Page 18: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/18.jpg)
© 2017 Synopsys, Inc. 18
Metrics that really matter to the board
• Percentage of applications reviewed and signed off, indicating an acceptable level of security
• Percentage of software projects that go through a secure development lifecycle
• Percentage of security bugs that reoccur in application development
• Percentage of security bugs that have been fixed within the recommended time
![Page 19: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/19.jpg)
© 2017 Synopsys, Inc. 19
Make your metrics make sense
It’s essential that you provide context when explaining the metrics you capture. For example...
Don’t just say: We found nine critical bugs this month.
Instead, add context:
• This was expected because we just rolled out a new defect discovery capability.
• This is considered acceptable because the bugs were found in development, before production.
• Remediation tasks have been assigned and it looks like the bugs will be fixed within the
recommended time.
![Page 20: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/20.jpg)
© 2017 Synopsys, Inc. 20
Question 5
How will managed services support our aggressive development schedule?
![Page 21: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/21.jpg)
© 2017 Synopsys, Inc. 21
Your board-friendly answer
• Security testing will be matched to our development cycle, working within sprints and testing
windows.
• Because our testing team will always be available, we will get back security test results faster
than before.
• We will be able to remediate issues in step with the development process.
![Page 22: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/22.jpg)
© 2017 Synopsys, Inc. 22
Question 6
How will using a managed service help us keep up with what our peers are
doing to minimize risk?
![Page 23: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/23.jpg)
© 2017 Synopsys, Inc. 23
Your board-friendly answer
• Working hand-in-hand with a team of software security experts will help our staff learn the
latest techniques to create secure code and remediate vulnerabilities.
• We will benefit from our managed service partner’s aggregated experience and best practices
based upon years of working with multiple companies across a wide range of industries.
![Page 24: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/24.jpg)
© 2017 Synopsys, Inc. 24
Step 3
Make sure you have a resource plan that satisfies
your board’s questions.
![Page 25: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/25.jpg)
© 2017 Synopsys, Inc. 25
The right managed services partner helps you
give your board the answers it needs.
(and regulators, shareholders, and customers too).
Get Started with Managed Services
![Page 26: Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing](https://reader033.fdocuments.us/reader033/viewer/2022041600/5e7c4d58f741185f0877bb8a/html5/thumbnails/26.jpg)
© 2017 Synopsys, Inc. 26
Thank You