“Security” and “Risk” are often used interchangeably. That is a mistake that has a tangible impact on everything from board level discussions on Digital Transformation to changes in business-critical applications to the bottom line. Executives and Board members at organizations of all types inherently understand this. Business conversations at the executive level involve discussions of revenue projections alongside the risks associated with achieving those goals. Put simply: your Board doesn’t care about Application Security. It cares about Application Risk, which includes both security and compliance.
One of the best ways to truly understand a business is to read its annual report (and 10-K SEC filings for U.S. public companies). 10-K forms all start out the same way, and there’s no better way to illustrate how important risk is to the business world (here is an example from Apple):
Item 1: Business
Item 1A: Risk Factors
The Risk Factors in Item 1A include anything that could materially impact the business. The scope of this is incredibly broad and spans everything from security and compliance risks to inflation and global macroeconomic conditions. Here is an example from the Apple report:
“The Company’s global operations are subject to complex and changing laws and regulations on subjects including, but not limited to: antitrust; privacy, data security and data localization; consumer protection; advertising, sales, billing and e-commerce; product liability; intellectual property ownership and infringement; digital platforms; Internet, telecommunications, and mobile communications; media, television, film and digital content; availability of third-party software applications and services; labor and employment; anti-corruption; import, export and trade; foreign exchange controls and cash repatriation restrictions; anti–money laundering; foreign ownership and investment; tax; and environmental, health and safety.”
Apple further notes that: “Compliance with these laws and regulations may be onerous and expensive, increasing the cost of conducting the Company’s global operations.”
THIS is how Boards view security - as one component in a larger framework to understand and mitigate risk.
“Security” has long viewed itself as a fundamentally different element that needs to be evaluated, prioritized, and funded separately from other types of business risk, but this isn’t grounded in reality. Security is not an end in itself but is one component of a business’s risk calculation, not unlike a challenge from a new competitor, changing buyer sentiment, market fluctuations, or even a pandemic. Admittedly, there is a moral element to security: you are responsible for customer data that you have a duty to protect. But no security system is ever perfect and prioritization and budget decisions need to be made according to risk.
This is a problem because thinking about security and thinking about risk often lead to different conclusions - and different actions. Security is tactical. It is focused on breach prevention and often carries with it a near-obsession with discovering, triaging, and remediating vulnerabilities, often based on results from scanning or orchestration tools. What it neglects are context, nuance, and alignment with human factors and business goals alongside many other risk factors (see: Code Risk is Multi-Dimensional).
Risk-based thinking is strategic. It weighs the natural desire to reduce potential and current risks with the business goal of increasing revenue, which is today often accomplished by accelerating digital transformation. It is often necessary for a business to move FAST and with speed comes additional risk.
This may sound controversial to many, but the role of a Security organization is not to minimize - or even reduce - risk in a vacuum apart from other priorities. It is to evaluate risk and present options to business leaders. In some cases, executives will choose to enforce rigid security controls on the entire organization, even at the expense of speed. In others, Security teams will need to do their best to reduce risk given significant constraints. But the key is this: decisions on risk are business decisions!
Many security experts often believe that their concerns are given short-shrift and development goals and speed are given priority. This may be 100% true but at the same time be a misreading of the situation. CEOs at small companies and General Managers at large ones DO understand risk. So do development leads and VPs of IT. But their perspective is a fundamentally different one. And the sooner Security shifts its focus from vulnerabilities to risk, the sooner it will have a seat at the table where business decisions are made.