Oct 24, 2016
Security Innovation and The Ponemon Institute does a regular study, called The State of Application Security.
The study investigates the difference in application security beliefs between developers, security professionals and company executives.
The results are pretty shocking. If you dig into the report, you'll find that a much higher percentage of executives believe their organisations are secure, than the technicians and developers doing the work. This is a huge problem.
To give an example, 71% of executives agreed or strongly agreed that education and training programs were updated to keep development teams apprised of the latest threats, security policies and best practices. This is in comparison to just 19% of technicians.
A huge 52% difference.
But why is this? There's 5 key reasons.
1. Distance From The Front Line
Company executives are a long way from the lines of code being written, or the day-to-day decisions being made that impact organisation-wide security. This means that lots of executives are just ignorant of the security risks within their organisation.
It's easy for an executive to live in ignorance of the state of security within their organisation when they don't witness the vulnerabilities making it into code, or hear the conversations between developers at the water cooler.
2. An Assumption That "It's Being Handled"
It's not uncommon for organisations to hire a security team (or even a CSO) and assume application security is therefore being handled, and that they don't need to worry. "It'll just get done". Having a team in place can create a false sense of security.
Security requires an ongoing investment, and executives need to be aware that it's not enough to just have a team in place to manage it. It requires organisation-wide cooperation.
3. They're Busy With Their Day Job
Executives have a lot to get done. Most will tell you they have more to get done in a day than they could ever hope to finish. Lots of executives are inbound focused, which means they spend a lot of their time dealing with requests sent to them from reportees, and putting out fires.
Quite simply, they don't have enough hours in the day to proactively think about security. If the issue isn't placed on their desk, they may not realise it exists.
4. They Don't Understand Security Professionals
We've all tried to read technical documents, or sat through complex presentations that we don't really understand. Lots of security professionals don't do a very good job of talking to executives at their own level of understanding. They assume that an executive will understand intricate details, and often focus too much on the technical challenges rather than the business case.
Security professionals need to work on framing their reports to executives on business cases: will doing something increase revenue? Will not doing something cause problems? Could failing to act result in a legal battle? You're the security professional, and executives should trust your judgment on the technicalities.
5. The Reality Is Being Sweetened
We've all met yes men throughout our careers, and these are toxic to application security. If your head of security would rather stay on the executive's good side than reveal the dark truth, then you can't expect the executive to know any better. If the head of security tells the CEO that the security training program is running exceptionally well, then the CEO will no doubt assume that security training is covered.
An executive can't expect to improve a situation if the reports he receives are feeding him false positives. Conversely, if your security organisation is always over-exagerating security risks within the organisation, they may not be treated seriously by executives when they try to table the "real" big issues.
A balanced, realistic approach needs to be taken to raising the awareness of security challenges amongst executives.
Why do you think the gap between executives and technicians/developers is so great? Share your thoughts in the comment section below.