Have you ever noticed that many people aren’t motivated to do things until there’s a pressing need that’s often personal in nature? It’s the way the world works. In fact, the fear of loss and the desire for gain are the two driving forces behind most decisions we make. This is especially obvious when it comes to executives’ behavior towards information security.
A big part of the reason people don’t care about web security is because they haven’t been presented the right information. Take, for instance, the following snapshot from an Acunetix Web Vulnerability Scanner developer report:
The information shown here says a lot about the specific web application’s technical flaws that need to be resolved. Yet it doesn’t outline how these flaws impact the organization as a whole - that’s what management needs to know. You want them to have the right information so they can make informed decisions and prioritize the approach that’s best for the business. Instead of confusing management with technical details, present them with information they can relate to such as the following snapshot of an Acunetix Web Vulnerability Scanner HIPAA compliance report:
If compliance is not the message you want to portray, another example would be keeping management abreast of remediation efforts in the development lifecycle by sharing previous scan results compared with current scan results like what’s shown in the following snapshot of an Acunetix Web Vulnerability Scanner scan comparison report:
A comparison report is a great way for management – and you – to understand just how effective the current approach to your web security priorities really are.
The lack of a clear message and misguided priorities are two of the things that hold us back the most with web security. Unless and until we properly demonstrate what’s important and how we’re going to go about resolving the issues, we’re going to continue to struggle with getting – and keeping – others on our side.
Your next steps should be:
- Adjust your message depending on whether you’re speaking to management, developers, and even your users about web security. Not only “know your enemy” with web security but also “know your audience”. You can get past this with the help of the proper scanner reports but you also have to get past the “geek speak” trap that’s so easy to fall in to. You have to think about the bigger picture and why your message matters to each individual with whom you’re communicating.
- Stop merely going through the motions and scanning, reporting, and remediation. Addressing every web security vulnerability the same way is going to end up doing everyone a disservice. Prioritize. Focus on what matters. Develop a plan for each web security finding based on the risk to your business rather than someone else’s "best practice". Take the 80/20 Rule approach and focus on your highest-payoff tasks.
In the third and final part of this series, I'll talk about the importance of following up on your web testing efforts, keeping the right people in the know, and closing the loop of information risk management.