Abstract
Security teams, including AppSec, have very much been focused on “inside out” imperatives, e.g. we are doing x because our security or compliance team says so.
Traditionally, finding and fixing vulnerabilities, evangelizing secure coding practices, pleading with engineering teams to implement the “right” cloud configurations, etc., have been disconnected from the customer and the business. In some cases, AppSec is even positioned as a tax on the business as a necessary cost center; businesses only know it's important because lawsuits, burgeoning regulation, and breach headlines have
told them it is. This presents a challenge to get buy-in from stakeholders, which makes our jobs very difficult, sometimes impossible.
However, what we do has real, human consequences. We have the opportunity to reframe security practices by focusing on this “outside in” perspective: the perspective of TRUST.
High-level outline
Research on customer/consumer trust – what is “trust”?
- Boiled down to four factors: capability, reliability, transparency, and humanity
- High levels of trust increase revenue
- There is a correlation between security, privacy, resilience, risk, compliance, and customer trust
Security is not separate work, security is a foundational feature
- Customers/consumers expect vendors to protect their data
- Security is not a cost center – it’s a revenue enabler (customer trust = customer loyalty = increased revenue)
Security practices need to be marketed
- Human psychology: we want to believe we are special and have a purpose
- Communicating the full impact of doing or not doing security practices well
- “Customer trust” as a burgeoning discipline within CISO organizations
