May 21, 2020
This post is the second in a five-part series where we’ll be digging into why SecDevOps enables every department in an enterprise – not just Security and Development – to do their job better. The favorite phrase of security teams today is that “Security is everybody’s responsibility” – which it is – but often fail to link back why it’s also makes everybody’s job easier. Implementing good SecDevOps isn’t just about reducing cyber threats, it’s about being productive and finding new opportunities to gain a competitive advantage. This post will focus on why Finance Teams want a good SecDecOps program.
What do Finance Teams do?
Cash is king is the mantra of Finance Teams, requiring the company to run as a well-oiled machine. Finance is not just about counting pennies to keep the lights on, but creating a financial strategy that aligns with the company’s growth goals – and makes sure they have the fuel to get there. This requires predictability, operational efficiency, and of course, cash in the bank.
Finance Teams are often begrudgingly “convinced” that good Application Security means writing a blank check. Unfortunately this means most Finance Teams just Application Security as a cost center, not a real driver to help them meet their strategic goals. But the reality is that great Application Security is about investment not just in tools, but an end-to-end SecDevOps process. Successful Finance Teams understand that SecDevOps is just as important to their goals as it is to that of security and development.
What are the Finance Team’s activities?
- Forecasting & Budgeting
- Cash Flow Management
- Legal Compliance
- Tax Planning
- Record Keeping
Why these goals?
Cash is king!
How does SecDevOps help?
- Accurate Cost Management
- Better Predictability
- Increased ROI
- Efficient Audits
Poorly deployed Application Security is like carbon monoxide on Development’s budget. You know it’s there, but can’t smell or find it. You only find it when the alarm goes off: a security breach. This is a real and serious issue for Finance Teams. It eats at their hard work on building a successful financial strategy, or in economic terms – creates deadweight loss. This is lost efficiency on meeting both Development and Security goals. Application Security is often deployed infrequently and inconsistently which results in more vulnerabilities, backlog bloating, and ultimately, decreased operational efficiency.
At the core, good SecDevOps is about consistent deployment of the processes associated with Application Security to make it operationally efficient in existing Development processes. Without SecDevOps, AppSec gets relegated to the generic line item of “Non-Functional Requirements,” which makes it impossible to manage and optimize. SecDevOps gives Finance Teams predictability and visibility into Application Security, which translates into cost savings of up to 100x through proactive management.
A good SecDevOps process gives predictability to Finance Teams – and everyone else in the company. Imagine getting to the end of the quarter only to discover a major product or feature failed to ship because of vulnerabilities or configurations not aligned with policies. This isn’t just about a delayed feature to Finance: poor AppSec deployment could result in revenue recognition issues or even loss of revenue.
Having a well implemented SecDevOps process can prevent this from happening by preventing, predicting, and identifying security issues in real time. A successful SecDevOps program doesn’t require purchasing expensive tools, or even a lot of overhead – in fact, you can deploy a successful SecDevOps program without a single security testing tool and your existing resources. It doesn’t matter if you spend thousands of dollars on the best scanners, if you don’t have a good SecDevOps program, it will all be wasted. The process – which is the foundation of SecDevOps – is the key to predictability.
It’s no secret audits are time consuming for everybody – especially Finance Teams. They’re often stuck with chasing down the required documentation or asking developers to build custom audit scripts or take clumsy screenshots in order to meet the appropriate attestation requirements — talk about a loss of productivity!
SecDevOps allows the company to have a single control point to track down issues quickly and to prevent unnecessary work in managing and maintaining compliance. The SecDevOps process becomes the single control point through automation that delivers the correct policies to each project, ultimately providing governance into the pipeline – and tracking when the policies aren’t followed, who approved the override, and when it’ll be corrected With SecDevOps, audits aren’t held up because security or policy information can’t be tracked down.
ROI on security tools can be a black box when they’re not integrated into the processes they impact. More tools don’t equate to better security. In fact, that strategy can actually have a negative impact on ROI as focusing just on tools creates more data silos that require more energy (and money) to process.
The best and most effective way to measure and improve the ROI of AppSec tools is with a well-developed SecDevOps process that gives Application Security a regular cadence in the SDLC. This not only improves efficiency on both the Security and Development teams, but also creates an environment where PMs and engineers can measure, monitor, and improve the impact of security in their existing metrics to drive better productivity without additional resources. .
Want to better understand how SecDevOps can be a strategic asset to your Finance Team? Let’s have a chat.