Application security plays a critical role in enabling digital transformation. COVID-19 compressed initiatives that would have played out over the past several years into the time frame of a couple months, and digital initiatives are now a top business priority for many. CIOs and CTOs are leading the charge in executing on these mandates. CISOs/CSOs are tasked to ensure they are protected. For most, application security is now at the top of the list of experience and skill sets for CISOs/CSOs.
COVID-19 has turned things completely upside down. Six months into a new decade, and no one person or company is exactly sure what the future holds. But one thing is for certain: The importance of digital technology will accelerate—specifically the evolution of legacy applications and the development of new ones. How organizations engage with their customers and offer them differentiated experiences and streamline operations through software applications will play a critical role in the success or failure of businesses.
Under mandates from the board of directors and the CEO, CTOs and CIOs have embraced DevOps and Agile as the means for scaling development and accelerating release cycles. But this creates new application security challenges—and the CISO/CSO must become an expert in DevOps and Agile technologies and processes to succeed. The stakes are huge. Research reveals that the majority of digital transformation initiatives fail or struggle to generate anticipated outcomes. At the same time, application vulnerabilities pose a serious risk to businesses, with Verizon recently finding that 43% of all data breaches this past year can be tied back to an exploited application vulnerability.
It is a requisite, as a result, that CISOs/CSOs become experts in application security. My firm specializes in placing cybersecurity executives, and application security is by far the number one priority clients list when spelling out what they want in a winning candidate.
Recruiting Mindset Best Opportunity for CISO/CSO Career Growth
So, how do you set yourself up for success in this changing digital landscape? First of all, it is not enough to have technical skills. A CISO/CSO must also be able to speak the language of business. They need to understand sales, marketing, finance, operations, and most importantly, recruiting. In fact, recruiting is the top upscale opportunity that a CISO/CSO can acquire that will exponentially grow their career.
Finding the Right and Best Talent
The best thing a CISO/CSO can do is adopt a recruiting mindset in order to build an exceptional security team. They need to recruit the best talent in a highly competitive space. Successful security team members are no longer hybrids, managing two job activities at once. Today’s security talents are like octopuses; they can do eight things at once. When it comes to mitigating vulnerabilities, security teams have to be smarter, wiser, and hungrier than the bad guys. Recruiting the best talent means using resources to find the right people for the right job at the right time.
Communicating to the Board of Directors
Along with building a stellar security team, a CISO/CSO must to be able to sell security to their board of directors. Cybersecurity is a serious business issue that must be defined as a business enabler, rather than something that slows the business—especially digital transformation initiatives. Cogent and clear communications from the CISO/CSO that articulates application risk through the lens of the business is pivotal. This includes the ability to go beyond the likelihood of intrusions and breaches to defining positive returns on investment.
The CISO/CSO also needs to build a custom security model dashboard, one that gives the board of directors real-time, point-and-click visibility. This enables them to follow the CISO/CSO recommendations on cybersecurity risk—including application security.
When it comes to application security, the CISO/CSO must enable the board of directors and CEO to understand the positive and negative repercussions of application risk—both by mitigating it or failing to do so.
Standout Candidates Address Business Challenges by Acting as CISO/CSO
There are several things that CISOs/CSOs can do to help them stand out from other CISOs/CSOs. The most important thing is to act as if you are already the company’s CISO/CSO. Treat the interview like a security briefing. Do your homework. Come up with a 90-day strategy, as well as a one-, two-, three-month roadmap. This means that you must understand the business and the unique challenges it faces. CISO/CSO candidates would do well to personalize their briefing by conducting a SWOT (strengths, weaknesses, opportunities, threats) analysis. This includes strategies for securing code and setting security policies. Doing so will enable a CISO/CSO to demonstrate their technical prowess to the development team and their willingness to roll up their sleeves and write code.
New Application Security Architecture Roles
Recognizing the importance of application security, CISOs/CSOs are creating a new role on their teams: the chief applications security architect and chief web applications security architect. These roles demand professionals with extensive experience across multiple areas of development and cybersecurity, with soft skills around research, analysis, and consulting. Their background also demands work with cloud services—from Software-as-a-Service, to Platform-as-a-Service, to Infrastructure-as-a-Service.
CISO/CSO Requires a Security Champion, Interview Process
For organizations looking to hire a CISO/CSO, they need to identify the security champion in the organization. This individual should be marked as the hiring manager. To reach this determination, an organization should perform a BSIMM (Building Security In Maturity Model) assessment. This enables an organization to map the role of the CISO/CSO to the right business requirements and assign the incoming CISO/CSO to a security advocate. Sometimes this may be the CEO or CIO. In other instances, it may be the board of directors.
Regardless, it is important to remember that the security champion in an organization may change over time. When a CISO/CSO was first hired, the security champion may have been the CIO. However, as business requirements evolved, it may shift to the board of directors—even to the level of one or two specific board members.
The CISO/CSO interview process should have three stages. The first interview should be a 60-minute phone interview with the security champion (viz., the hiring manager). The second interview should be a 60-minute phone or video interview with the entire team that is responsible for security. The third interview should be an in-person interview with whiteboarding sessions and code reviews. Where relevant, board members and members of the C-suite with responsibilities around security should attend.
The CISO/CSO Role Is More Vital Than Ever This Decade
The opportunities applications present to a business have never been greater. Businesses can reach and engage customers in ways that were simply not possible just a few years ago. They can streamline processes and facilitate innovation and collaboration between teams and individuals as never before. Yet, at the same time, this explosion in and concentration on applications creates dramatically greater risk.
This has not gone unnoticed. Application-attack volumes remain at unprecedented levels, while cyberattacks become increasingly more sophisticated. The business demands that the CISO/CSO enable digital transformation while mitigating security risks associated with these initiatives. For new CISOs/CSOs, they must account for application security and ensure it is embedded in their 30-, 60-, and 100-day plans. While application security may have been an afterthought in the past, it can no longer be a marginalized checklist item. Rather, the prioritization of digital transformation demands that it be prioritized from the outset and remains a critical business measurement.
To discover why and how a CISO/CSO should align application security from the onset, check out the new eBook, “AppSec for the Newly Hired CISO/CSO.” Readers can also listen to the two-part podcast interviews with me: