Ensuring the right people are on board with web application security

This article is the third in a series about digital business security from information security consultant Kevin Beaver.
Hardly any business initiative is simple. Given the financial pressures combined with political and cultural hurdles, it's not uncommon for new business initiatives to receive pushback. Information technology investments can be more complex than general business investments, often due to their technical complexities. Getting support for security projects can be the most difficult of all. The reality is, regardless of how large or small an initiative may be, without the right people on board, potential challenges await. That’s why obtaining – and maintaining – support for web application security is so important.

People do things for their reaons, not yours

Whether it's related to the implementation of web security technologies, integrating security into the software development lifecycle, or ensuring that web applications and APIs are properly locked down, the people that you have (or don’t have) on board will make all the difference in the long-term success. One thing I've learned working in IT over the past three decades is that people are perfectly selfish. They do things for their reasons, not yours. If web security related initiatives are brought about and pushed by IT staff without the buy-in from everyone who should be involved (a common approach), it's virtually guaranteed that uphill battles will ensue.
With web application security, it's not uncommon to see friction in areas such as:

·    perceived value of the project and, in turn, budgetary support.

·    confusion around security standards which can lead to controls getting in the way of business.

·    requirements around ongoing oversight and audit which can impact marketing and sales initiatives.

Even when stakeholders from various business units do get involved in web security initiatives, the focus and responsibility tend to steer back towards technical staff, eventually. Not unlike wavering support in other critical areas of the business such as finance and operations, initiatives that fail to gain cross-organizational support are doomed to mediocrity. In the case of web application security, even when people believe that it doesn't impact them, their role within the organization, or even the organization itself, it almost always does.
If web application security initiatives are to be effective and successful over the long haul, you must do what it takes to get and keep the right people on your side. But who are these people? Well, it depends. If you’re looking for financial support, clearly you need executive leadership to buy into what you’re selling. This could be the CIO or CTO. It could be the CFO or COO. It could even be legal counsel, the CEO, or a board member. Similarly, if you’re looking for project sponsorship and political backing, you’ll likely need an executive or two singing the praises of what you’re trying to accomplish. It could be that you’ll also need your peers or other staff members working in software development, project management, or internal audit to help with your web security projects. You might even need sales or tech support reps in your corner. It just depends on what you’re trying to accomplish and how closely it aligns with the business’s goals.

Projects live or die based on mutually beneficial relationships

Developing these relationships may be a natural and easy evolution for you within the organization or it could prove difficult – something that requires special tactics and strategies. Most projects live or die based on mutually beneficial relationships, good communication, and effective management. Consider the following questions to ensure success:

·    Who is the ultimate decision-maker? In what ways can you connect with this person and foster the relationship necessary to see things through?

·    What activities around web security have shown the best results? Who needs to be involved to help maximize your success? Keep in mind that outside vendors offering web security related products and services must be a part of this.

·    Knowing what you now know about web security and its place in your business, what would you do more of or less of in order to get the most out of new projects?

·    In what ways can you measure success over time? What actions will need to be taken and what deliverables will need to be made in order to keep your web security efforts visible?

The right people will ensure web security success

Web application security is only a small part of an overall information security program but it's a critical one, nonetheless. It's best to not assume that everything will fall into place and work out fine. Taking a thoughtful and measured approach to getting all the right people on board, will ensure web security success.
About the author
Kevin Beaver, CISSP is an information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 31 years in IT and 25 years in security, Kevin specializes in independent security assessments and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security. He has written 12 books on security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. Kevin has written over 1,000 articles on security and regularly contributes to TechTarget's SearchSecurity.com, Ziff Davis' Toolbox.com, and Iron Mountain’s InfoGoTo.com. He has a bachelor’s in Computer Engineering Technology from Southern College of Technology and a master’s in Management of Technology from Georgia Tech. In his free time, Kevin races cars in the SCCA Spec Miata class and enjoys riding dirt bikes and snow skiing.
If you want to know more about how you can increase the revenue of your digital business by offering add-on insurance using state-of-the-art API technology, please contact us directly or book a time for us to call you, its free and there are no strings attached.

We will be happy to contact you at a time that suits you, for a free, no-obligation consultation.

Recommended Reading
Why security is so important for web APIs 21 January 2020
The difference between a web service and an API 07 January 2020
© PSA Insurance Solutions,
PSA Insurance Solutions Ltd Reg No: C83206 is a limited liability company under Maltese Law, having its registered address at: MIB building 53 Abate Rigord Street Ta’ Xbiex Malta, Tel + 356 22 58 34 92. The company is enrolled to act as an insurance agent in terms of the Insurance Intermediaries Act, 2006 by the Malta Financial Services Authority (MFSA), Notabile Road, Attard BKR 3000, Malta.