Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing

© 2017 Synopsys, Inc. 1

Created by Marketing Team

March 30, 2017

3 Steps to a Successful Board-Level Conversation about Your Application Security Needs

Get Your Board to Say “Yes” to Managed

Security Services


Why consider managed services?

It is a cost-effective, efficient way to get...

• A pool of top-level experts to find and fix vulnerabilities throughout your portfolio

• Resources that provide elastic capacity at a predictable budget

• Customized read-outs with security and development staff to improve performance

• Consistent, transparent reporting to demonstrate return on investment


Why board buy-in is important

• To help leaders make decisions about budget and priorities

• To get resources you need to manage your application security initiative

• To gain support throughout your organization

• To demonstrate the impact of your work on business goals

• To give your team the reputation they deserve


Assumption

You’ve already convinced your board they should care about software security.


Step 1

Communicate with the board in business terms, not technical terms.


“More than half of corporate directors say they are

‘not satisfied’ with the information they receive from

management on cybersecurity and IT risk.”


Boards can’t influence what they don’t understand

• Most boards have no cybersecurity experience.

• They have limited time and a crowded agenda.

• They don’t respond to technical jargon.

So…

You must describe the business context for managed security services to get board buy-in.


How managed services match business goals

• Return on investment

• Cost savings

• Faster time to market

• Competitive advantage


Step 2

Prepare for questions the board will ask.

(Keep going to see example questions)


Question 1

How will investing in managed security services impact our business?


Your board-friendly answer

• A managed services partner lets us extend our efforts without a heavy investment in new

technologies or additional headcount.

• This approach to software security would help our customers, partners, and investors feel

confident doing business with our company.


Question 2

How will a shift to managed services impact how we are currently

managing cyber risk?



• We will be able to manage risk more efficiently across the entire portfolio—every application,

software project, software security defect, and data asset.

• We will have more resources, which will enable us to guide every software project through a

secure development lifecycle.

• We will have access to the tools and expertise we need to apply more advanced defect

discovery techniques for high-risk applications.

• We will be able to record every security test, result, and remediation step to continually

improve.


Question 3

How will using managed services impact our budget?



We evaluated resource options and have a solution that gives us the most value for a

cost-effective, consistent budget.

HARD COSTS SOFT COSTS

• Cost of hiring application security experts

• Cost of licensing security testing tools

• Cost of training staff

• Time it takes to find experts

• Time it takes to get new staff up to speed

• Number of applications each staff can test,

and at what depth

• Stress of managing changing testing volume

or emergency situations

• Opportunity cost of other projects that internal

staff are not able to tackle


Question 4

How will we measure return on our investment?



Managed services gives us greater value for less cost. How will we know?

• We will see fewer security vulnerabilities that must be fixed in production and QA stages

because they will be addressed earlier in the development cycle.

• We will analyze metrics per technology stack, per business unit, and per software project type

to see areas of risk, identify patterns, and reward improvements.


Metrics that really matter to the board

• Percentage of applications reviewed and signed off, indicating an acceptable level of security

• Percentage of software projects that go through a secure development lifecycle

• Percentage of security bugs that reoccur in application development

• Percentage of security bugs that have been fixed within the recommended time


Make your metrics make sense

It’s essential that you provide context when explaining the metrics you capture. For example...

Don’t just say: We found nine critical bugs this month.

Instead, add context:

• This was expected because we just rolled out a new defect discovery capability.

• This is considered acceptable because the bugs were found in development, before production.

• Remediation tasks have been assigned and it looks like the bugs will be fixed within the

recommended time.


Question 5

How will managed services support our aggressive development schedule?



• Security testing will be matched to our development cycle, working within sprints and testing

windows.

• Because our testing team will always be available, we will get back security test results faster

than before.

• We will be able to remediate issues in step with the development process.


Question 6

How will using a managed service help us keep up with what our peers are

doing to minimize risk?



• Working hand-in-hand with a team of software security experts will help our staff learn the

latest techniques to create secure code and remediate vulnerabilities.

• We will benefit from our managed service partner’s aggregated experience and best practices

based upon years of working with multiple companies across a wide range of industries.


Step 3

Make sure you have a resource plan that satisfies

your board’s questions.


The right managed services partner helps you

give your board the answers it needs.

(and regulators, shareholders, and customers too).

Get Started with Managed Services

https://www.synopsys.com/software-integrity/solutions/by-security-need/managed-services.html


Thank You

Documents

Get Your Board to Say “Yes” to Managed - BSIMM · •Security testing will be matched to our development cycle, working within sprints and testing windows. •Because our testing