Get Your Board to Say Yes To Managed Security Services
Transcript of Get Your Board to Say Yes To Managed Security Services
Get Your Board to Say “Yes” to Managed Security Services
3 Steps to a Successful Board-Level Conversation about Your Application Security Needs
Why consider managed services?
It is a cost-effective, efficient way to get…• A pool of top-level experts to find and fix vulnerabilities
throughout your portfolio.• Resources that provide elastic capacity at a predictable
budget.• Customized read-outs with security and development
staff to improve performance.• Consistent, transparent reporting to demonstrate return
on investment.
Why board buy-in is important
• To help leaders make decisions about budget and priorities.
• To get resources you need to manage your application security initiative.
• To gain support throughout your organization.• To demonstrate the impact of your work on business
goals.• To give your team the reputation they deserve.
“More than half of corporate directors say they are ‘not satisfied’ with the
information they receive from management on cybersecurity and IT
risk.” — KPMG
Boards can’t influence what they don’t understand
• Most boards have no cybersecurity experience.• They have limited time and a crowded agenda.• They don’t respond to technical jargon.
So…
• You must describe the business context for managed security services to get board buy-in.
• Return on investment • Cost savings• Faster time to market• Competitive advantage
How managed services match business goals
Your board-friendly answer
• A managed services partner lets us extend our efforts without a heavy investment in new technologies or additional headcount.
• This approach to software security would help our customers, partners, and investors feel confident doing business with our company.
Your board-friendly answer
• We will be able to manage risk more efficiently across the entire portfolio—every application, software project, software security defect, and data asset.
• We will have more resources, which will enable us to guide every software project through a secure development lifecycle.
• We will have access to the tools and expertise we need to apply more advanced defect discovery techniques for high-risk applications.
• We will be able to record every security test, result, and remediation step to continually improve.
Your board-friendly answer
We evaluated resource options and have a solution that gives us the most value for a cost-effective, consistent
budget.
Hard costs Soft costs
• Cost of hiring application security experts
• Cost of licensing security testing tools• Cost of training staff• Time it takes to find experts• Time it takes to get new staff up to
speed• Number of applications each staff can
test, and at what depth
• Stress of managing changing testing volume or emergency situations
• Opportunity cost of other projects that internal staff are not able to tackle
Your board-friendly answer
Managed services gives us greater value for less cost. How will we know?• We will see fewer security vulnerabilities that must be
fixed in production and QA stages because they will be addressed earlier in the development cycle.
• We will analyze metrics per technology stack, per business unit, and per software project type to see areas of risk, identify patterns, and reward improvements.
Metrics that really matter to the board
• Percentage of applications reviewed and signed off, indicating an acceptable level of security.
• Percentage of software projects that go through a secure development lifecycle.
• Percentage of security bugs that reoccur in application development.
• Percentage of security bugs that have been fixed within the recommended time.
Make your metrics make sense
It’s essential that you provide context when explaining the metrics you capture. For example…
Don’t just say: We found nine critical bugs this month.
Instead, add context:• This was expected because we just rolled out a new defect
discovery capability.• This is considered acceptable because the bugs were found in
development, before production.• Remediation tasks have been assigned and it looks like the bugs
will be fixed within the recommended time.
Your board-friendly answer
• Security testing will be matched to our development cycle, working within sprints and testing windows.
• Because our testing team will always be available, we will get back security test results faster than before.
• We will be able to remediate issues in step with the development process.
How will using a managed service help us keep up with what our peers are doing to
minimize risk?
6QUESTION
Your board-friendly answer
• Working hand-in-hand with a team of software security experts will help our staff learn the latest techniques to create secure code and remediate vulnerabilities.
• We will benefit from our managed service partner’s aggregated experience and best practices based upon years of working with multiple companies across a wide range of industries.
The right managed services partner helps you give your board the answers
it needs.
(and regulators, shareholders, and customers too).
Get started with managed services