Peter Chestna at Checkmarx argues that CISOs and other information security professionals need to be seen as revenue and growth drivers and not as cost centres
Digital transformation is integral to the future of every modern business, making the role of Chief Information Security Officers (CISOs) more critical now than ever.
Security not only helps mitigate the risk of data breaches and cyber-attacks, it also is a key contributor to the forward progress and overall success of the company. In particular, the changes that digital transformation has brought to the development of applications has massively increased the need for a solid strategy for application security (AppSec).
There is a real opportunity for the role of CISOs – and the security department as a whole – to evolve beyond that of ‘cost centre’ and the ‘protector’ of the organisation, to a function which is more closely intertwined in enabling the business to achieve its strategic goals.
To do so, security needs to be embedded within business strategies from the outset, enabling the safe roll-out of the latest innovations, from product launches to new infrastructure, rather than existing as the tick-box exercise at the end of a new initiative.
Traditionally, application security has been seen as a “nice-to-have” by many parts of the business. However, it may now have a far more influential role to play.
The domain of CISOs is expanding and, by incorporating security into business planning at the earliest stages, their contribution will go far beyond keeping the attackers at bay. The time has come for businesses to view CISOs as more than their risk managers but as the secret weapon that will ensure a business remains competitive, upholds its reputation in the market and delivers on its core objectives.
The role of CISOs in reducing business costs
In today’s hyper-digitised world, applications and code are everywhere. From your business’s website, to plug-ins, private cloud systems or the software and applications you develop, every digital product is based on a string of machine-readable language. Applications are often the first point of vulnerability for any threats, which is one reason that application security and the role of CISOs have become increasingly important.
This is particularly critical in fast-moving markets which rely on ever-shorter release cycles, which ups the ante in terms of risk. In Checkmarx’ 2022 Global Pulse on Application Security report, which surveyed an equal mix of 1500+ CISOs, AppSec managers, and developers, it was found that 86% of participating organizations have deployed known-vulnerable code.
Building security into the early stages of application development ensures products are released to the market in a faster timescale, without compromising on security.
How often, if ever, has your organisation deployed known vulnerable code into a production environment (Responses from both AppSec managers and developers)
CISOs are best placed to implement agile security and take a “Shift Everywhere” approach to AppSec – to every application, every version, in every location, before, during and after deployment. With new efficiencies and new risks represented by the move to the cloud, CISOs must emphasise AppSec across all digital initiatives and foster a security-first culture.
In this way they can ensure that developers prioritise security at every stage of the software development life cycle -- and, just as importantly, endeavour to make AppSec simpler to carry out. This reduces the likelihood of vulnerabilities being discovered later on, which can be far more costly to remediate.
At the same time, CISOs can distinguish vulnerabilities with a ‘risk-based’ approach. By addressing high-risk vulnerabilities first and preparing to discover and rapidly remediate other vulnerabilities at any point in the software development lifecycle, businesses can optimise their security investments and minimise the likelihood of costly breaches.
Most importantly, they can Integrate AppSec into the development operations (DevOps) pipeline and thereby ensure that security is an integral part of the development process, rather than an afterthought. This can help catch and fix potentially high-risk vulnerabilities earlier, reducing the costs associated with late-stage remediation efforts.
So, given that CISOs can play such a massive role in reducing business costs and thereby drive more revenue opportunities, leaving them out of major business decisions and sales conversations can be costly.
Adding value to the sales process with AppSec
In today’s highly competitive business landscape, digital applications serve as a critical channel for generating income for most organisations. Therefore, it is of paramount importance for businesses to prioritise application security in order to safeguard revenue and achieve wider strategic goals.
By incorporating an ‘AppSec everywhere’ approach, across the entire development cycle, CISOs can proactively address security concerns and add significant value to the sales process. For instance, they can collaborate closely with sales teams to better understand customer requirements and expectations when it comes to security.
This collaboration can result in more targeted sales pitches and marketing materials that help prove the organisation’s commitment to security by showing an advanced and all-inclusive approach to security with the inclusion of strong application security. The ability to demonstrate a strong security posture not only builds confidence in potential customers but can also help businesses to stand out in a competitive marketplace.
Leading CISOs have already spent years adopting these techniques and building out their application security programs. As one CISO of a US-based national insurance company noted, “Our information security practices are our customers’ business.”
Moreover, CISOs can contribute to the development of comprehensive security documentation, including whitepapers, case studies, and technical guides. This information can be crucial in addressing customer concerns about the security of the business’s products and services.
Providing detailed, transparent information about the security measures in place, will also help to build trust with potential customers and partners at a time when brand reputation is a decisive factor in closing a sale. Tools are available to the CISO that enable reporting on AppSec, which can help benchmark security organisations and differentiate them when working with prospective clients.
CISOs can also work with sales teams to ensure that security is factored into the pricing of products and services. By demonstrating how the organisation’s security practices contribute to the overall value of its offerings, businesses can potentially increase their profit margins.
Additionally, they can help identify opportunities for up-selling or cross-selling security-related services, such as consulting, training, or ongoing support, further contributing to the business’ revenue streams.
The CISO’s involvement in the sales process also serves as a testament to the organisation’s commitment to security. By having the CISO present during sales meetings, businesses can show potential customers that they take security seriously and are willing to invest in the necessary resources to protect their data and operations.
Simply put, businesses today run on apps and the time to market is absolutely critical to their financial and operational success. So, incorporating CISOs in the sales process will allow companies to align AppSec with greater business goals, whether it’s risk management, cost control, or overall growth – and thereby, make their revenue and finances more sustainable.
Maximising the potential of CISOs in building the business
To maximise the potential of CISOs as revenue generators, businesses should foster more effective collaboration between the CISO and other C-Suite executives. They should encourage open communication between the CISO, CTO, CIO, and other executive leaders to ensure that cybersecurity initiatives align with broader business goals. This will help create a unified vision and strategy for the organisation.
Furthermore, board members should understand the significance of the CISO’s role in driving sales and revenue. This may involve presenting case studies, industry statistics, and comparative examples of organisations that have successfully integrated their CISO into the sales process.
From there, CISOs are well-placed in customer-facing activities such as presentations, demonstrations and consultations, further showcasing the organisation’s commitment to security and compliance.
Companies should also invest in continuous learning and professional development for the CISO and their respective teams, offering sufficient resources and opportunities for the CISO and their team to stay up-to-date on the latest security technologies, methodologies, and best practices. This will help them continue to drive innovation and maintain a competitive advantage in the market.
By taking these steps, organisations can unlock the true potential of their CISOs as revenue generators and strategic partners in the era of digital transformation. As cyber-security continues to become increasingly crucial in today’s business landscape, the role of the CISO will only become more critical in driving sales, reducing costs, and ensuring overall business success.
Peter Chestna is CISO at Checkmarx
Main image courtesy of iStockPhoto.com
© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543