Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Why CISOs don't invest properly in Application Security

Kerry_Matre ‎12-22-2015 10:20 AM - edited ‎01-04-2016 07:56 AM

84% of breaches occur at the application layer. So why is it that so little of our enterprise security dollars go towards application security?

I have a theory. 

There are 2 types of InfoSec people. There are network security people and application security people. Network security people are the vast majority. They came up through military, communications, network ops, or sys admin type jobs. Application security people are the minority and started as application developers.

I came to realize the distinction when I was in customer meetings with a co-worker. She would geek-out about network diagrams and where to install DNS taps. Meanwhile, my eyes would roll back in my head. I, on the other hand, fed off the conversations about SDLC, application gates and secure coding practices. It turns out that network security people and application security people are very different species and I am an application security person. This doesn't mean that network people can't understand application security and app sec folks can't understand networks. It is just a statement about where the passion lies.

So what's my point? Network people feel more confident investing in network security solutions (IPS, SIEM, etc.). Application people feel more confident investing in application security solutions (DAST, real-time application defense, etc.).

Now...Name one CISO who is an application security person. 

It's hard if not impossible to do. I've crossed paths with a couple hundred CISOs in my career and I struggle to name one that came from a development background and is an app sec person.

I think this bias is having negative effects on our industry but I'd love to know what you think. 

It's almost 2016. Let's start investing where we know we can have a huge impact!

To learn more about HPE Application Security products visit HPE Security Fortify.

0 Kudos
About the Author


J Random Entity
on ‎12-22-2015 05:23 PM

Kerry, neither application nor network security is the answer.  Both are, as well as structured processes and policies that define, regulate, and enforce their use.

One of the biggest problems I see with application security is that enterprises don't want to invest beyond the developer in terms of application security - code reviews and audits aren't undertaken, applications are deployed without adequate testing (automated or otherwise), and inadequate or nonexistent use of tools that could mitigate many of these issues before they are exposed to the world and its dog continue to be the norm.  Just assume that the developer knows what he or she is doing and run with it; we'll fix it later if it turns out to be a problem.  Just don't spend the money up front to fix it before it's a problem anyone has noticed.

A CISO needs to be capable enough to realise that there is no single facet or approach to Information Security that works for all threat models, vectors, and surfaces - and that no one set of personal experience can prepare them for that.  Whether that person's background is in application, network, systems, industrial control, communications, or other aspects of information security is largely irrelevant.  What is relevant is their ability to lead and evolve the needs of the organisation, and that their position within the organisation is suitable for both them and the organisation as a whole.

Finally, while I will freely admit that I cannot name a CISO who is "an application security person," as you put it, the reality is that suggesting that more CISOs should be placed in that role solely because of their application security background is akin to suggesting that more 747 pilots should be responsible for the lives of 300-plus passengers because they worked on the development team of Microsoft Flight Simulator.

David Brothers
on ‎02-03-2016 11:08 AM


I absolutely agree with your assessment.  I am an app guy in a security related role and the two distinct groups speak and think about security in two entirely different ways.  Unfortunately, from my perspectve the network/sysadmin side of the house looks at dropping tool after tool in place to protect but often times this is done with a "plug-n-play" mentality.  The tools aren't specifically configured for the environment.  App security gets even more messy because many times there is no right or wrong answer.  There's a lot of gray.  App Security is also still thought of as an after-thought.  The dev team gets through testing and then wants a quick scan down prior to going live.  The time for security assessment and remediation isn't baked into the process.

As an industry, the security thought process is still lagging behind the threats.  While I would agree with your previous respondent that a CISO shouldn't be put in place strictly because they have an app background, but it should definitely be a strong consideration for a well rounded view.  I didn't agree with the respondents comparison.  It was a little dramatic. 

June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all