Ensuring application security and resilience is largely a technical endeavor. From source code development to vulnerability and penetration testing and all the variables in between, there are a lot of moving parts on the technical side. It’s important, however, to remember the soft side of application security, especially as it relates to the bigger picture area of setting and achieving your goals.

Goal setting is very straightforward but only eight percent of people actually achieve their goals. If you have the desire to improve your application security program as well as stand out in your organization and rise above the noise of the world, here’s what you need to do to get started down the path of improvement:

  1. Determine what you want to accomplish and write it out in the present tense. This will allow you to be specific on what you’re looking to do, and it programs your subconscious mind to believe that the goal has already been accomplished.
  2. Outline the steps you’ll need to take to accomplish the goal. This will help to set expectations and create a roadmap to follow. It can also be helpful to write out any roadblocks you might anticipate for each goal.
  3. Set a specific deadline. This makes the goal more tangible and helps to hold you accountable.

You will want to prioritize each of your goals, so you’ll know which one to focus on first, second, and so on. It’s also important to revisit your goals, ideally every day, but at a minimum every week. This keeps them at the top of your mind so that you are thinking about them on a periodic and consistent basis.

The types of goals that you might set for application security improvement are endless. Of course, it depends on your specific risks and requirements but might include areas such as:

  • Vulnerability and penetration testing
  • Improvements involving specific security standards such as the OWASP Top 10
  • Implementation of certain technical controls such as multifactor authentication or a web application firewall
  • The creation of a security oversight committee

Taking the steps above and using vulnerability and penetration testing as an example, the following is a sample application security goal:

This is the essence of setting goals and setting yourself and your application security program for success. There’s really nothing more to it.

For many technical professionals, the prospect of goal setting and management may not seem terribly exciting, but it can pay huge dividends over the long term. I have found that those who delve further into the business side of application security tend to experience greater rewards in their careers as well.

There’s a saying that if you don’t have goals for yourself then you’re doomed forever to achieve the goals of someone else. Having a set of application security goals that you are working towards is not going to be the silver bullet for keeping things protected. It takes work to determine what you want and then take the proper steps to go about getting it. Even with all the effort involved, having documented goals can help tremendously with oversight and accountability and give you and your team something to aim for. Taking this approach to application security will go a long way and help your efforts stand out in many positive ways, especially considering so many people and organizations have zero goals in this regard.

You don’t have to spend a ton of time on goal setting and management. You could easily write out some goals over a cup of coffee or lunch one day. Worst case, you get together with your colleagues and spend an hour or two on the whiteboard. The important thing is to get started. You don’t have to have perfection. You just need to want it badly enough and have the discipline to see it through. If you work on each goal every day, even if it’s just in some small way, you can accomplish more than you ever believed you could.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.