According to the 2022 Gartner Board of Directors Survey, 88% of Boards view cybersecurity incidents as a business risk and not just a technical problem to solve – that’s a jump up from 58% over the previous five years. Organizations are becoming more proactive in preventing incidents instead of simply reacting to threats when a security issue or vulnerability shows up. With that proactive approach comes a push for bigger budgets and more powerful application scanning tools so that businesses can stay one step ahead of cybercriminals.
Attacks are happening at alarming rates as threat actors target critical infrastructures and sensitive information alike, hunting for any possible infiltration point. Research from Verizon’s 2022 Data Breach Investigations Report shows that web applications in particular are the number one attack vector, with personal data or credentials compromised in nearly 70% of incidents. API attacks are on the rise too – a survey from Salt Security shows a 681% increase in attack traffic between 2021 and 2022, with 62% of respondents citing API security concerns as a reason for slowing down the release of new applications.
Because breaches and cyberattacks can have far-reaching impacts on finances, reputation, and operations, it’s becoming increasingly important that security leaders are able to make a case for more budget and a defense in depth. But knowing what to say up the chain isn’t always easy. When approaching the Board of Directors (BoD) about cybersecurity and its technology and resource requirements, it’s important that security and IT leaders work together with executives and the BoD to understand the benefits, outline potential ROI, and agree on a strategy that fits their business needs.
Here’s what our experts have to say about getting the Board on board with cybersecurity.
It’s important to help the Board understand that cybersecurity – and especially web application security (AppSec) – is about more than simply protecting data. What are some of the business benefits of having a well-defined security strategy in place?
Frank Catucci: A well-defined strategy is also about the people and the efficiency and therefore the inherent cost benefits to security. The people and processes help not only with the reputation of your company and product lines but also with lowering the risk of exploitation and exponential impact after the incident. If we can find, fix, and mitigate risks earlier, we not only reduce cost but also reduce unplanned work and fixes, driving efficiency and effectiveness of existing teams.
Sonali Shah: Having deeper insight and clarity into risk posture not only improves incident response time but also enables secure sharing of critical business information that the Board needs to know. In March of 2022, the Securities and Exchange Commission (SEC) proposed a new rule titled “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” In this proposal, the SEC underscored elements of disclosure that can help improve cybersecurity risk and governance, including disclosures about an organization’s Board of Directors’ cybersecurity expertise and level of oversight into risk.
The proposal also urges for the adoption of Inline eXtensible Business Reporting Language (Inline XBRL) – which helps automate business information requirements – with the goal of better informing investors about risk management and improving response times to cyber threats. Following such guidance makes it easier to see security risks and the tangible business benefits of solving them.
Increasing the cybersecurity budget helps to bolster defense in depth, shrink the attack surface, and improve response time. What are some features of application scanning tools that can help convince the BoD of these benefits?
Frank Catucci: Improvements to key tools and processes must revolve around a development-centric strategy. To adequately serve modern agile development and release processes, we need to automate as many tests and workflows as possible. This overall strategy will result in the required and necessary impact to modern cloud-native and agile environments. However, we cannot do this at the expense of accuracy and must consistently look to improve the signal-to-noise ratio simultaneously. This is not always an easy task, but if you combine the right talent and training with the right application scanning tools, you can be successful.
Sonali Shah: With great risk comes the need for security tools that were designed to scan consistently and accurately. That need is even more dire today, when 80% of all breaches stem from vulnerabilities or weaknesses in web applications and malicious traffic from APIs has grown by 117% from 2021 to 2022. AppSec testing tools can help mitigate these risks through automated, accurate guidance so that vulnerabilities are not released into production, with newly discovered flaws quickly identified to minimize breach exposure. With out-of-the-box reports, some of these web application scanning tools like Invicti can also help meet evolving compliance needs, such as the October 2022 updates to ISO 27001 and 27002.
In the event of a breach or cyberattack, the BoD might be responsible for helping the organization decide whether or not to pay a ransom and even what the company should say to customers. Are breach scenarios good ways to prepare ahead of time so you can show the Board the severity of those situations?
Frank Catucci: Yes, absolutely they can help you prepare for presenting problems and solutions to the Board. Tabletop and incident response playbooks and drills must be practiced, honed, improved, and repeated so that optimal preparedness is achieved for when an incident occurs. Like the saying goes, practice gets you closer to perfect. Incident response is no exception.
Sonali Shah: Tabletop exercises are valuable tools for preparing and testing an incident response plan. A well-documented plan ultimately helps everyone – including the Board, employees, and customers – feel more confident in your company’s ability to quickly respond to a potential cyberattack. Such exercises can also help organizations become more proactive by identifying gaps in security coverage and response processes that correspond to needs for additional tools, talent, and processes.
Approaching the Board with a comprehensive plan can help you make your case more effectively. Many organizations rely on foundational strategies like the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework as guiding points. Are there other guidelines or tips that businesses can follow to help convince leadership of their strategy?
Frank Catucci: I think frameworks such as NIST are useful for any organization as an important reference point and benchmark. However, beyond this, every organization should be looking at their internal policy and compliance, regulations, and adherence to required standards to help drive their overall security programs.
For example, if an organization, product, or business model aligns with PCI or HIPAA, you want to use those standards as well to drive and design additional security measures into your overall security objectives. Doing this in combination with frameworks such as NIST will greatly improve your individual risk management as well as your overall security posture.
Sonali Shah: Frameworks like NIST are great starting points, but it’s critical to have a well-documented and accessible strategy that clearly states benefits and goals. This is how organizations can make that cultural change from individual contributors all the way up to the BoD. Ensure that your own internal guidelines are shared company-wide and that employees understand security is not a nuisance but a necessity.
Build security strategy into your overall corporate strategy and include it in objectives and key results (OKRs) so it becomes a core part of your organization’s business strategy – not just checkboxes for security and IT teams – and is visible to the Board for maximum transparency.
Beyond the BoD: Keeping everyone on board with cybersecurity
To keep up with rapidly-evolving technology and ever-changing security landscapes, organizations need to be flexible while never losing sight of their strategic goals. That requires clear and consistent reporting on achievements and progress to give the BoD and other stakeholders decision-making insights.
Sonali Shah: In your strategic plan, include goals and report out on those goals quarterly. Goals can be built around certification achievements, the number or frequency of web application and API tests run in development, or the number of critical vulnerabilities found. This information is priceless when it comes to adjusting security strategies or proving success when asking for more budget.
To get the Board and the entire organization more actively involved in cybersecurity efforts that bring tangible results, everyone needs to understand and appreciate just how vital AppSec is for keeping applications, systems, and customers safe. Employees need relevant training and capable web application scanning tools to maintain security while remaining productive, motivated, and engaged. Ultimately, that allows you to reduce overheads and future costs because you have the right people in place and they are efficiently using the right tools with the right strategies.
In between the Board and your boots on the ground, your leadership needs to consistently factor the security strategy into their business decisions while also empowering security experts to identify and head off potential security issues before they can cause trouble.
Frank Catucci: Listen to the experts and leaders you hire and trust them to make the right decisions. If you have experts in their respective fields leading various areas, listen to their feedback. Conversely, continue to challenge them and ask the tough questions. Remember that you are all where you are for similar reasons and share common goals for success.
With everyone from Board stakeholders to the newest hires working toward the same security goals, striking the right balance between innovation and systematic risk reduction finally becomes realistic.