We’ve all seen it. Apathy and disinterest are the name of the game with web security until a business deal is threatened, a data breach occurs, or an auditor reports something negative to the board and management is called on it. Then, out of nowhere, strong support for security suddenly appears.
Breaches and related web security incidents aside, how exactly do you communicate the importance of what you’re doing and ensure the right people are in the loop so your efforts can have a measurable impact on managing overall information risks? You’ve heard the Chinese proverb: A journey of a thousand miles begins with a single step. It’s no different in the case of web security. Effective communication with management starts with the single step of how you position your message and then moves on to how often you communicate your message.
If you have SQL injection, talk about the consequences to the business. If your web authentication or identity management system is being exploited, share the different scenarios and what the risk can lead to. If your password policy, event logging and monitoring, or development and testing processes are weak, let management know how they’re creating liabilities.
Don’t be afraid to leverage the contents of your web vulnerability scanner reports. Half the work has already been done for you. For instance, the following Acunetix Web Vulnerability Scanner description of the Slow HTTP attack outlines everything you need to know to get your points across to management: 1) the threat, 2) the vulnerability, and 3) the risk.
You may need to tweak the exact message, but if you take this approach with every essential finding, you’ll be much more effective in getting your points across. Like I said in part 1 of this series, don’t blame the audience for not understanding your message. Instead, look at what you’re saying and, especially, how you’re saying it.
Keep in mind that politics always comes into play with web security. No matter how credible your message is, you’re going to get pushback. It may be from your own CIO or CISO. IT staff, information security managers, and even developers and QA professionals may downplay the importance of your security findings. Self-preservation – especially when it comes to looking bad in the eyes of management – is a strong fear that’s hard to overcome. The thing is though, you can’t hold back, afraid that you’re going to offend someone. No good business executive desires politically-skewed information over the truth from a trustworthy staff member.
Practically anyone can test web applications for security vulnerabilities… However, if you really want to rise above the noise and keep management on your side, there are a few more steps you must take. Your next steps should be:
- Make all of your web security assessment findings known and visible to all the right people. Share the real story. Be brutally honest about what you’ve uncovered. Protection of the business should always be the number one priority.
- Take action on your findings (or at least ensure others are doing their part) to resolve the areas of risk you uncover. Revisit when necessary.
- Keep management in the know – over and over again. You don’t have to be pesky or even all that formal. At a minimum, casually keep them in the loop on your findings with the proper web security vulnerability scanner reports.
If you take anything at all from this blog series, let it be that communication will make or break your success with web security. The better you can communicate, the more credibility and trust you’ll build with management. When you do that you’ll develop strong relationships with the people who ultimately control how effective you can be in your job. Everyone wins.