How to Convince Leadership to Prioritize Security for Your Business

Kunal Bhattacharya
April 7, 2022

“If the lifeblood of the digital economy is data, its heart is digital trust —the level of confidence in people, processes, and technology to build a secure digital world,” says a 2018 report from PwC.

Between 2012 and 2021, trust in tech slipped globally from 77% to 68% fueled by multiple scams, data thefts, and privacy breaches as Edelman’s Trust Barometer study shows. That’s not encouraging for businesses which are constantly adding to their tech stack to grow revenue as well as to empower their customers and improve experiences.

Where is it all going wrong?

Mostly in the prioritization of business goals. Whether it’s a company undergoing a digital transformation or one that’s already tech-forward, security is often overlooked. And although more organizations do give it more importance now, the measures proposed are often more remedial than preventive.

“Cybersecurity is still not taken as seriously as it should be, and simply is not embedded into the UK's boardroom thinking,” says Lindy Cameron in her first speech after taking over as the director of the UK’s National Cyber Security Center (NCSC). Although she was addressing UK businesses, her words are applicable to organizations worldwide.

Secure by design helps proactively protect an organization’s crown jewels and move from a react to an act mindset. There is an urgent need for organizations to identify risks at the earliest stage possible and plan data defense strategies. That includes drafting an in-depth security plan, which includes thorough assessment, identification, and resolution of vulnerabilities in software used company-wide.

But organizations often run into multiple roadblocks when it comes to implementing that security plan, which include:

  • lack of leadership buy-in
  • absence of a perception of business value
  • importance given to tech to achieve agility, scalability, and faster deployment where security does not form a pillar
  • difficulty in aligning security with business objectives
  • misconception that security measures are too expensive to implement and sustain

DevSecOps lets you walk the line

DevSecOps, as the name suggests is the holy trinity of Development teams, Security and Operations aka the three key stakeholders involved in developing and maintaining secure code. DevSecOps is less of a technology and more of a cultural mindset, which identifies the three stakeholders as being partners in carrying forward innovation while maintaining a secure posture and delivering best value for the end customer.

DevSecOps changes the game for you without sacrificing agility and by easily aligning with business goals. Guarding against risk requires a multipronged approach, which can be achieved with DevSecOps, which demands collaboration and shared accountabilities among operations, development, and security teams. 

That said, implementing DevSecOps requires much more than writing exceptional code. It needs patience and time to build robust processes. Above all, it requires gaining implicit trust from all stakeholders from the C-suite to third-party vendors.

Similar to how a family supports each other in their respective goals, the DevSecOps culture requires mutual support and ownership for three key goals aka Scalability, Agility and Security. The application being written needs to be designed to enable it to scale for growth, to be agile enough to enable multiple releases in a day and to be built with ‘secure by design’ principle and each stakeholder needs to agree to have mutually shared goals for all the three attributes. As a best practice, each stakeholder can start with a minimum of one mutually agreed upon metric for each of their areas and then as the maturity level increases, can expand upon that to enable building truly flexible, robust secure products, delighting the end customer.

CapGemini defines ‘trust’ as, “maximizing credibility, reliability and safety, and minimizing self-focus.” Achieving this synergy is challenging and so is putting together DevSecOps capabilities.

What is the Purple Book Community?

The challenges that DevSecOps pose can only be solved by initiating a cultural and mindset shift. People need to be enabled to adopt DevSecOps in its true spirit. This is where the idea of the Purple Book Community came about. 

The Purple Book Community comprises top security thought leaders and practitioners. Initially, it brought together 29 industry experts together to write a comprehensive book about DevSecOps, AppSec, and product security concerns, best practices, and case studies. This book will be offered free of charge for the benefit of the broader community.

How can the Purple Book Community help?

The book, as well as any other content that the community creates, provides actionable guidelines and playbooks to help businesses steadily add robust layers of security by adopting DevSecOps. It helps companies build the case for stronger security capabilities by learning from practitioners who have been there and done that. The content of the book will be kept current by leaders who will write blogs and publish podcasts regularly. 

Cybersecurity challenges are evolving every day to become more sophisticated. It’s important to have equally sophisticated experts on your side to decode the threats and keep your business safe. And the Purple Book Community is built to do just that.

As Poornaprajna Udupi says in this chapter of the Purple Book, “Regardless of what stage your organization is in, assuming a “technology first” attitude will be helpful. At this point in time, the intelligent use of technology is truly the key to creating and sustaining a successful security program.”

The Purple Book Community acts as your support system and guide as you figure out your business framework and implement those key processes to fulfill the promises of DevSecOps.

Participate in the community!

The community meets twice a month to talk about the latest developments in the industry, network with each other, share best practices, decode major attacks, and build long-lasting bonds. To know the latest updates and participate in events, check out the community’s LinkedIn page

Head of DevSecOps, American Family Insurance