If the title on your office door says, ‘Chief Information Security Officer (CISO),’ chances are, your days are consumed with the various risks your organization is facing, and how you’ll deal with them. Underfunding is a common concern for CISOs, who struggle to secure executive-level buy-in for programs—even though high-profile data breaches highlight the importance of allocating resources to security. Of course, you need to minimize business risks and operational risks while also managing your company’s risk tolerance. This requires a fast and scalable security solution that reduces your operating expense costs, as well as cyberthreats.
For a security organization to be effective, its priorities must align with the whole organization –especially the finance department. CISOs, who envision their teams building security into the software development lifecycle (SDLC), find that too often, security is relegated to a check box or regarded as a traffic cop, to be dealt with before release.
However, when fixing or remediating a vulnerability can delay release of an important application, the pressure is placed on the security organization to make the right call. When staff can’t make a compelling business case for its decision or show the value of fixing vulnerabilities up front, the funding needed to participate earlier in the SDLC may not be forthcoming.
This breakdown in communications between security and other departments can include the lack of a common view of risk, and particularly the tendency for security to classify risk as “high, medium, or low” – which does not describe either the likelihood of an attack or its business impact.
Therefore, to communicate effectively, security teams must help other decision-makers to understand exactly what is at stake. This means they must understand the business purpose and impact of the application, get the resources to fix vulnerabilities earlier, and focus on the right applications at the right time.
Introducing the WhiteHat Security Index
Launching today, WhiteHat Security is helping CISOs and their companies to optimize application security programs through a unique, risk-based approach. Targeted for the C-suite, the WhiteHat Security Index (WSI) is a powerful way to know your risks and express them in financial terms, to make it easier for security teams to align with business stakeholders throughout the organization.
The WSI offers an instant visual overview of the robustness of the web applications; with one score, to monitor and manage the overall application security. Calculated from a comprehensive set of indicator data including vulnerability history, remediation rate, window of exposure, and application complexity, and based on WhiteHat’s extensive experience with intelligence metrics, the WSI is a measure of a web application’s security profile presented as a single number between zero and 800. The higher the number, the better the security.
Will the WSI help CISOs communicate more effectively with other decision-makers?
The answer is a resounding yes! Through a business-driven application security strategy, CISOs can align security priorities with business priorities, and make their programs more successful by using the WSI to tackle the job of identifying risks and also prioritizing the appropriate mitigation methods. Further, by comparing the organization’s risk profile with industry benchmarks and peer organizations, CISOs can use these metrics to drive security and funding decisions.
The WhiteHat Security Index allows executives to frame risk using a score that offers a visual representation of the robustness of the company’s web applications. And the WhiteHat Sentinel Platform allows you to:
- Communicate risk easily to business decision makers
- Focus remediation efforts based on business impact
- Demonstrate program effectiveness by risk trending
- Compare your security program to industry peers
Peer Benchmarking Against Others in Your Industry
Every organization’s risk tolerance and desired security assurance is different. WhiteHat Sentinel Peer Benchmarking dashboard allows companies to determine security KPIs by comparing themselves to industry peers.
- Monitor trends in your security posture over time
- Develop an understanding of where to commit more resources
- Communicate performance to upper level management
Based on the statistics from your dashboard, you may decide you’re not taking enough risk. Whenever fixing a vulnerability, you need to think about risk reduction. But you must consider the financial cost and the opportunity cost of pulling developers off an important project to fix vulnerabilities in what could be old code. In some cases, it may be advantageous to defer risk or not fix vulnerabilities at all, depending on your risk appetite and on the asset, because the cost to fix may be high compared to the risk posed by the asset.
The bottom line is, security is not the responsibility of the security organization alone. An effective security program requires close cooperation among all business units. The WhiteHat Security Index can help to know your risk and provide a common language for determining and discussing risk. This leads to better, strategic decisions that enhance the ability of the security organization to succeed in their mission of securing web applications and serve as the foundation for a security program that successfully meets the needs of the business as a whole.