Get Your Board to Say Yes To Managed Security Services

25
Get Your Board to Say “Yes” to Managed Security Services 3 Steps to a Successful Board-Level Conversation about Your Application Security Needs

Transcript of Get Your Board to Say Yes To Managed Security Services

Get Your Board to Say “Yes” to Managed Security Services

3 Steps to a Successful Board-Level Conversation about Your Application Security Needs

Why consider managed services?

It is a cost-effective, efficient way to get…• A pool of top-level experts to find and fix vulnerabilities

throughout your portfolio.• Resources that provide elastic capacity at a predictable

budget.• Customized read-outs with security and development

staff to improve performance.• Consistent, transparent reporting to demonstrate return

on investment.

Why board buy-in is important

• To help leaders make decisions about budget and priorities.

• To get resources you need to manage your application security initiative.

• To gain support throughout your organization.• To demonstrate the impact of your work on business

goals.• To give your team the reputation they deserve.

You’ve already convinced your board they should care about software security.

ASSUMPTION

STEP 1Communicate with the board in business terms,

not technical terms.

“More than half of corporate directors say they are ‘not satisfied’ with the

information they receive from management on cybersecurity and IT

risk.” — KPMG

Boards can’t influence what they don’t understand

• Most boards have no cybersecurity experience.• They have limited time and a crowded agenda.• They don’t respond to technical jargon.

So…

• You must describe the business context for managed security services to get board buy-in.

• Return on investment • Cost savings• Faster time to market• Competitive advantage

How managed services match business goals

STEP 2Prepare for questions the board will ask.

(Keep going to see example questions)

How will investing in managed security services impact our business?

1QUESTION

Your board-friendly answer

• A managed services partner lets us extend our efforts without a heavy investment in new technologies or additional headcount.

• This approach to software security would help our customers, partners, and investors feel confident doing business with our company.

How will a shift to managed services impact how we are currently managing cyber risk?

2QUESTION

Your board-friendly answer

• We will be able to manage risk more efficiently across the entire portfolio—every application, software project, software security defect, and data asset.

• We will have more resources, which will enable us to guide every software project through a secure development lifecycle.

• We will have access to the tools and expertise we need to apply more advanced defect discovery techniques for high-risk applications.

• We will be able to record every security test, result, and remediation step to continually improve.

How will using managed services impact our budget?

3QUESTION

Your board-friendly answer

We evaluated resource options and have a solution that gives us the most value for a cost-effective, consistent

budget.

Hard costs Soft costs

• Cost of hiring application security experts

• Cost of licensing security testing tools• Cost of training staff• Time it takes to find experts• Time it takes to get new staff up to

speed• Number of applications each staff can

test, and at what depth

• Stress of managing changing testing volume or emergency situations

• Opportunity cost of other projects that internal staff are not able to tackle

How will we measure return on our investment?

4QUESTION

Your board-friendly answer

Managed services gives us greater value for less cost. How will we know?• We will see fewer security vulnerabilities that must be

fixed in production and QA stages because they will be addressed earlier in the development cycle.

• We will analyze metrics per technology stack, per business unit, and per software project type to see areas of risk, identify patterns, and reward improvements.

Metrics that really matter to the board

• Percentage of applications reviewed and signed off, indicating an acceptable level of security.

• Percentage of software projects that go through a secure development lifecycle.

• Percentage of security bugs that reoccur in application development.

• Percentage of security bugs that have been fixed within the recommended time.

Make your metrics make sense

It’s essential that you provide context when explaining the metrics you capture. For example…

Don’t just say: We found nine critical bugs this month.

Instead, add context:• This was expected because we just rolled out a new defect

discovery capability.• This is considered acceptable because the bugs were found in

development, before production.• Remediation tasks have been assigned and it looks like the bugs

will be fixed within the recommended time.

How will managed services support our aggressive development schedule?

5QUESTION

Your board-friendly answer

• Security testing will be matched to our development cycle, working within sprints and testing windows.

• Because our testing team will always be available, we will get back security test results faster than before.

• We will be able to remediate issues in step with the development process.

How will using a managed service help us keep up with what our peers are doing to

minimize risk?

6QUESTION

Your board-friendly answer

• Working hand-in-hand with a team of software security experts will help our staff learn the latest techniques to create secure code and remediate vulnerabilities.

• We will benefit from our managed service partner’s aggregated experience and best practices based upon years of working with multiple companies across a wide range of industries.

STEP 3Make sure you have a resource plan that

satisfies your board’s questions.

The right managed services partner helps you give your board the answers

it needs.

(and regulators, shareholders, and customers too).

Get started with managed services