HPE Software is now Micro Focus
HPE Software is now Micro Focus
Protect Your Assets
cancel

Why CISOs don't invest properly in Application Security

Re: Why CISOs don't invest properly in Application Security

Kerry,

I absolutely agree with your assessment.  I am an app guy in a security related role and the two distinct groups speak and think about security in two entirely different ways.  Unfortunately, from my perspectve the network/sysadmin side of the house looks at dropping tool after tool in place to protect but often times this is done with a "plug-n-play" mentality.  The tools aren't specifically configured for the environment.  App security gets even more messy because many times there is no right or wrong answer.  There's a lot of gray.  App Security is also still thought of as an after-thought.  The dev team gets through testing and then wants a quick scan down prior to going live.  The time for security assessment and remediation isn't baked into the process.

As an industry, the security thought process is still lagging behind the threats.  While I would agree with your previous respondent that a CISO shouldn't be put in place strictly because they have an app background, but it should definitely be a strong consideration for a well rounded view.  I didn't agree with the respondents comparison.  It was a little dramatic. 

0 Kudos
About the Author

Comments
N/A

Kerry, neither application nor network security is the answer.  Both are, as well as structured processes and policies that define, regulate, and enforce their use.

One of the biggest problems I see with application security is that enterprises don't want to invest beyond the developer in terms of application security - code reviews and audits aren't undertaken, applications are deployed without adequate testing (automated or otherwise), and inadequate or nonexistent use of tools that could mitigate many of these issues before they are exposed to the world and its dog continue to be the norm.  Just assume that the developer knows what he or she is doing and run with it; we'll fix it later if it turns out to be a problem.  Just don't spend the money up front to fix it before it's a problem anyone has noticed.

A CISO needs to be capable enough to realise that there is no single facet or approach to Information Security that works for all threat models, vectors, and surfaces - and that no one set of personal experience can prepare them for that.  Whether that person's background is in application, network, systems, industrial control, communications, or other aspects of information security is largely irrelevant.  What is relevant is their ability to lead and evolve the needs of the organisation, and that their position within the organisation is suitable for both them and the organisation as a whole.

Finally, while I will freely admit that I cannot name a CISO who is "an application security person," as you put it, the reality is that suggesting that more CISOs should be placed in that role solely because of their application security background is akin to suggesting that more 747 pilots should be responsible for the lives of 300-plus passengers because they worked on the development team of Microsoft Flight Simulator.

N/A

Kerry,

I absolutely agree with your assessment.  I am an app guy in a security related role and the two distinct groups speak and think about security in two entirely different ways.  Unfortunately, from my perspectve the network/sysadmin side of the house looks at dropping tool after tool in place to protect but often times this is done with a "plug-n-play" mentality.  The tools aren't specifically configured for the environment.  App security gets even more messy because many times there is no right or wrong answer.  There's a lot of gray.  App Security is also still thought of as an after-thought.  The dev team gets through testing and then wants a quick scan down prior to going live.  The time for security assessment and remediation isn't baked into the process.

As an industry, the security thought process is still lagging behind the threats.  While I would agree with your previous respondent that a CISO shouldn't be put in place strictly because they have an app background, but it should definitely be a strong consideration for a well rounded view.  I didn't agree with the respondents comparison.  It was a little dramatic.