One of the biggest challenges facing CISOs today is how to build a secure application strategy. It’s no simple feat to build an application security strategy that is both comprehensive and effective. But it’s essential, as a breach can be quite costly to the organization.
How much does a data breach cost?
The cost of data breaches is one of the primary reasons a secure app strategy is at the top of every CISO to-do list. Regardless of the size of your company, a data breach of any size can have disastrous ramifications for your company, financially and in terms of your reputation.
If we look strictly at the financial angle, the costs of a data breach continue to negatively affect your bottom line for years. Worse yet, the cost of data breaches is actually increasing.
A recent report found the average cost of a data breach has risen to $3.92 million. This represents an increase of 1.6 percent from the previous year and a 12 percent increase over the last five years.
Important highlights from the report that CISOs should be aware of include:
- The average size of a data breach has increased 3.9 percent, rising to 25,575 records. The US average, however, is higher, at 32,434 records on average.
- Worldwide, the average cost per record is $150. This number is again higher in the US, coming in at $242 per record.
- The cost of a breach lingers for years. On average, 67 percent of the cost comes in year one, followed by 22 percent in the subsequent 12 to 24 months, and the remaining 11 percent being felt more than two years later.
- A breach results in an average customer turnover of 3.4 percent, representing yet another increase from 2018 and proving customers are increasingly likely to walk away if a breach occurs.
While a massive breach such as the 2017 Equifax debacle is rare, it does point to the enormous financial penalties that can result from such an incident. Equifax recently agreed to pay a whopping $575 million (with the potential to increase to $700 million) as part of its settlement with the Federal Trade Commission (FTC)—two years after the breach happened.
Your organization’s level of preparedness for a breach, and your ability to deal with one swiftly, both have a direct impact on the cost per record and the total cost of a data breach.
Here are ways to reduce the cost of a breach:
- Create an incident response team that has a formal plan to follow if a breach occurs.
- Conduct drills to practice responding to a breach.
- Keep the public updated on your response if a breach should occur.
- Implement a thorough and comprehensive corporate application security strategy.
This last step is, in our opinion, the most important one in reducing your risk of dealing with a data breach and the associated costs. We have laid out an application security program roadmap that CISOs can follow.
How to build a secure application strategy
Build a culture of application security
A secure application strategy starts at the top and makes its way throughout the entire organization. The entire C-suite must commit to security, communicating that it is a top priority.
Employees need training on the importance of application security. Developers should not be pushed to meet unrealistic deadlines if it means security gets pushed to the side.
Follow a DevSecOps approach
This approach incorporates security into every step of the application development process, creating a stronger (and joint) relationship between development and security teams. An environment of collaboration and open communication is required for success.
Conduct comprehensive AppSec testing
The best approach is to use a wide and blended range of testing tools, including Static Application Security Testing (SAST) tools, Dynamic Application Security Testing (DAST) tools, Interactive Application Security Testing (IAST) tools, and Software Composition Analysis (SCA) tools. The ideal approach combines manual testing and threat modeling.
Use an application vulnerability manager
An application vulnerability manager allows your development and security teams to weed through the results from multiple AppSec testing tools and address them more efficiently.
This type of tool correlates the results from various testing applications and delivers the results in a single, standardized report. It cross-references results from SAST and DAST tools, helping you prioritize which vulnerabilities present the most real and serious threats to your organization—so you can address them first and decrease your chances of a breach.
The right tool will integrate with developer environments, making it easy for security and development teams to work together to quickly address bugs and threats.
Avoid the speed trap
The speed of application development is increasing, which makes it easier to push secure practices to the back seat. Best-practice CISOs try to stay focused on the importance of application security for the long-term success of the enterprise, even if it means slowing down.
Develop a formal AppSec plan
Make sure your secure application strategy is documented. This should include all of the tools being used to monitor and address security issues and all organizational standards related to application security. The plan should be revisited every year to make sure it remains accurate and serves as a real-time guide for the organization.
For additional information on application security, CISOs can consult the AppSec Guide developed by OWASP, which is geared specifically for the CISO role.
With the right tools, the right processes, and the right mindset, CISOs can steer their organizations on a successful path to creating and maintaining a secure application strategy. This will decrease the chances that a data breach will occur and protect your company’s bottom line and reputation.