Shrinking Budgets: Application Security Tools vs Process Tradeoff

An all too familiar scene repeated itself two weeks ago. My good friend & CISO of a mid-sized technology company, lets call him Alok, went into a budget planning meeting and came out as a shadow of his former self. To be more precise a 85% version of the Alok that I know. He had just been handed a 15% reduction in budget.

Like most managers, Alok, started taking stock of his mini-empire and prioritizing things that he could do without. Luckily he had already expected a cut and so had planned ahead. Unluckily, he had planned for a 6% reduction not a 15% reduction. After some brainstorming and taking some tough decisions he had cut costs by 10%. Now began his quest for the elusive final 5%. His organization had started the transition from being a network security centric organization to a more application security centric organization around 15 months ago. So, a solution posed by one of his managers was to drop the security engineering process integration program and replace it with a set of static analysis tools they had just evaluated. This strategy had paid of handsomely for them in the network security field. Ron, one of the leading application architects in the organization was opposed to the idea. Thus started a turf war, which left some angry, most frustrated and everyone confused.

Unlike most managers, Alok reached out for advice.

- Akshay Aggarwal