© 2017 Synopsys, Inc. 1

Created by Marketing Team

March 30, 2017

3 Steps to a Successful Board-Level Conversation about Your Application Security Needs

Get Your Board to Say “Yes” to Managed

Security Services

© 2017 Synopsys, Inc. 2

Why consider managed services?

It is a cost-effective, efficient way to get...

• A pool of top-level experts to find and fix vulnerabilities throughout your portfolio

• Resources that provide elastic capacity at a predictable budget

• Customized read-outs with security and development staff to improve performance

• Consistent, transparent reporting to demonstrate return on investment

© 2017 Synopsys, Inc. 3

Why board buy-in is important

• To help leaders make decisions about budget and priorities

• To get resources you need to manage your application security initiative

• To gain support throughout your organization

• To demonstrate the impact of your work on business goals

• To give your team the reputation they deserve

© 2017 Synopsys, Inc. 4

Assumption

You’ve already convinced your board they should care about software security.

© 2017 Synopsys, Inc. 5

Step 1

Communicate with the board in business terms, not technical terms.

© 2017 Synopsys, Inc. 6

“More than half of corporate directors say they are

‘not satisfied’ with the information they receive from

management on cybersecurity and IT risk.”

© 2017 Synopsys, Inc. 7

Boards can’t influence what they don’t understand

• Most boards have no cybersecurity experience.

• They have limited time and a crowded agenda.

• They don’t respond to technical jargon.

So…

You must describe the business context for managed security services to get board buy-in.

© 2017 Synopsys, Inc. 8

How managed services match business goals

• Return on investment

• Cost savings

• Faster time to market

• Competitive advantage

© 2017 Synopsys, Inc. 9

Step 2

Prepare for questions the board will ask.

(Keep going to see example questions)

© 2017 Synopsys, Inc. 10

Question 1

How will investing in managed security services impact our business?

© 2017 Synopsys, Inc. 11

Your board-friendly answer

• A managed services partner lets us extend our efforts without a heavy investment in new

technologies or additional headcount.

• This approach to software security would help our customers, partners, and investors feel

confident doing business with our company.

© 2017 Synopsys, Inc. 12

Question 2

How will a shift to managed services impact how we are currently

managing cyber risk?

© 2017 Synopsys, Inc. 13

Your board-friendly answer

• We will be able to manage risk more efficiently across the entire portfolio—every application,

software project, software security defect, and data asset.

• We will have more resources, which will enable us to guide every software project through a

secure development lifecycle.

• We will have access to the tools and expertise we need to apply more advanced defect

discovery techniques for high-risk applications.

• We will be able to record every security test, result, and remediation step to continually

improve.

© 2017 Synopsys, Inc. 14

Question 3

How will using managed services impact our budget?

© 2017 Synopsys, Inc. 15

Your board-friendly answer

We evaluated resource options and have a solution that gives us the most value for a

cost-effective, consistent budget.

HARD COSTS SOFT COSTS

• Cost of hiring application security experts

• Cost of licensing security testing tools

• Cost of training staff

• Time it takes to find experts

• Time it takes to get new staff up to speed

• Number of applications each staff can test,

and at what depth

• Stress of managing changing testing volume

or emergency situations

• Opportunity cost of other projects that internal

staff are not able to tackle

© 2017 Synopsys, Inc. 16

Question 4

How will we measure return on our investment?

© 2017 Synopsys, Inc. 17

Your board-friendly answer

Managed services gives us greater value for less cost. How will we know?

• We will see fewer security vulnerabilities that must be fixed in production and QA stages

because they will be addressed earlier in the development cycle.

• We will analyze metrics per technology stack, per business unit, and per software project type

to see areas of risk, identify patterns, and reward improvements.

© 2017 Synopsys, Inc. 18

Metrics that really matter to the board

• Percentage of applications reviewed and signed off, indicating an acceptable level of security

• Percentage of software projects that go through a secure development lifecycle

• Percentage of security bugs that reoccur in application development

• Percentage of security bugs that have been fixed within the recommended time

© 2017 Synopsys, Inc. 19

Make your metrics make sense

It’s essential that you provide context when explaining the metrics you capture. For example...

Don’t just say: We found nine critical bugs this month.

Instead, add context:

• This was expected because we just rolled out a new defect discovery capability.

• This is considered acceptable because the bugs were found in development, before production.

• Remediation tasks have been assigned and it looks like the bugs will be fixed within the

recommended time.

© 2017 Synopsys, Inc. 20

Question 5

How will managed services support our aggressive development schedule?

© 2017 Synopsys, Inc. 21

Your board-friendly answer

• Security testing will be matched to our development cycle, working within sprints and testing

windows.

• Because our testing team will always be available, we will get back security test results faster

than before.

• We will be able to remediate issues in step with the development process.

© 2017 Synopsys, Inc. 22

Question 6

How will using a managed service help us keep up with what our peers are

doing to minimize risk?

© 2017 Synopsys, Inc. 23

Your board-friendly answer

• Working hand-in-hand with a team of software security experts will help our staff learn the

latest techniques to create secure code and remediate vulnerabilities.

• We will benefit from our managed service partner’s aggregated experience and best practices

based upon years of working with multiple companies across a wide range of industries.

© 2017 Synopsys, Inc. 24

Step 3

Make sure you have a resource plan that satisfies

your board’s questions.

© 2017 Synopsys, Inc. 25

The right managed services partner helps you

give your board the answers it needs.

(and regulators, shareholders, and customers too).

Get Started with Managed Services

© 2017 Synopsys, Inc. 26

Thank You