Everyone loves the fantasy of the lone protagonist heroically overcoming all obstacles to save the day despite long odds. The problem is, if the day that needs saving is in anyway related to software security and your lone hero is an AppSec Director, it’s only a fantasy.

The ingredients for a successful application security program come from many sources; the expertise and experience of the AppSec team, the cooperation of the developers, the security tooling from engineering, and the lanes of authority that come from governance.

However, the ingredient I’ve seen missing in broken AppSec program can come from a frank discussion between the CISO and the AppSec director: a shared understanding of goals. When I was a communications officer, my boss used to joke that “communicators make the worst communicators” and that’s a trend that I’ve seen extend into this side of my career.

What should be communicated between the Chief Information Security Officer and the Application Security Program Owner? Security, mostly. The CISO’s job is to deal with Information Security, as its Chief Officer. They accomplish their job of securing information by delegating bits and pieces down to Identity and Access Management teams, Audit & Compliance, Ops, Risk Management, AppSec, and others.

The CISO, in turn, gets their role delegated to them by the CEO, COO, or CIO to ensure that the CISO enables the larger business to do what it does, but securely. This is why it’s important for AppSec to be aligned with the business as a whole because good AppSec lets the business do what it does, but securely.

Alignment starts by asking the question of “Why Security?” On the surface, this exercise seems silly because we all know that security is awesome, but there are people out there who don’t think that about security. That’s kind of a good thing because we wouldn’t have jobs in security if everyone was on board with it. Understanding the reason it’s important to secure operations, assets, data, and software will give purpose and shape the larger AppSec program goals. If a bank was hacked, it wouldn’t be able to do bank things like handle money or service customers. If a health-care provider were hacked, they couldn’t provide patient care. If a power company was hacked, they couldn’t keep the lights on.

The goal of an AppSec program shouldn’t be a self-licking ice-cream cone. It’s mission statement shouldn’t be “to grow security maturity” or “to reduce vulnerabilities”, it should be “To reduce software risk that could prevent us from keeping the lights on for customers” or “To enable providers to securely treat patients”. Having a frank conversation between the CISO and the AppSec program owner should establish that as the banner goal and everything in the program builds towards that.

A clear, business-relevant goal is invaluable for an AppSec program. It sets a clear vision that can be the first step in breaking silos. A well-defined goal will inform what’s measured and reported for good and meaningful metrics. It also makes prioritizing what happens where much easier. At a person-to-person level, it changes the security conversation from “You should fix this problem because the tool said its bad” to “We should fix this problem because it’s a threat to keeping the lights on.”

Once the goal and vision are established, defining roles and responsibilities are next. The AppSec program owner's role is to plan, implement, and execute, while the CISO's role is to remove obstacles, provide resources, and secure buy-in from their peers. When I see processes that are broken because development teams or engineering teams can argue their way out, it’s not necessarily a sign of a broken process. There isn’t a process so perfect that some overworked manager can’t push back. Instead, it’s an authority issue.

The CISO needs to not only delegate authority to the AppSec program owner, but they need to ensure that their peers - the CIO, COO, CFO, and others - understand what the AppSec Program owner’s authority is. This allows the other C-Suite officers, SVPs, and other leaders to communicate that message down their lines of control. Top down communication is vital to moving security beyond friendly teams and allowing program owners to keep security tasks prioritized in the backlog.

There's always more to say on a topic like this one, but I've hit my budget for now. Stay secure and never forget the humans.