ASPM as a Force Multiplier in Secure Business Resilience: A CISO’s Perspective

user profile
Former CSO, Tiktok, ADP, EMC

Having served as Global CISO at some of the largest companies in the world, including TikTok, ByteDance, ADP, and EMC, I’ve seen firsthand the ever-expanding role code plays in business resilience. The reality is, the entire value chain of your organization — from customer experience to core infrastructure — is built on code or technology. It doesn’t matter whether you’re a pizza shop in New York or a major, multinational social media mega company. 

Simply put: Cyber resilience is critical to businesses as their digital businesses rely on vast digital ecosystems.

But securing applications and code at every stage of the software development lifecycle  (SDLC) via Secure Pipeline Defense Programs without slowing down the pace of innovation is a mammoth task.  And, given the implications code plays in privacy, infrastructure assurance, and regulatory conformity, the stakes are even higher. While cybersecurity is undeniably a team sport, CISOs are responsible for communicating risk, steering strategic decisions, and — ultimately — fortifying defenses in the face of relentless threats. They’re also the ones held accountable if anything goes wrong.

This is why I’m so excited and focused on new code and application defense solutions being introduced that solve some of the biggest pain points security leaders face. In particular…Application Security Posture Management (ASPM).

ASPM takes a platform-approach to code and application defense. Solutions in this category continuously manage the security of modern applications, and detect threats across the entire SDLC.  The best ones also provide a broader and more holistic view of not just code defense, but the issues and threats that create derivative risk.

ASPM solves a lot of the challenges I’ve faced as a security professional over the last two decades, and will quickly become a must-have for CISOs to collaborate more effectively with developers and other C-level executives. Here’s why…

Lesson #1: Context is King.

We operate in a multi-technology, multi-tool environment, where the efficacy of our security measures hinges on the breadth and depth of contextual insights. That means to effectively improve application security, you first need to understand the relative risk of individual vulnerabilities within the context of your entire environment.  

This is where singularly focused solutions fall short. It’s like viewing the world through a keyhole. Actually, because the average team uses 49 security tools, it’s more like viewing the world through a cheese grater. Even if you have tools that cover 90%+ of your attack surfaces, you’ll still inevitably have blind spots. This makes it difficult — impossible even — for senior security, risk, and privacy executives to have the level of transparency they need to make good decisions or validate the efficacy of their cyber defense.

What we need is a unified view of the entire code ecosystem: pipelines, repositories, coding environments, how they’re all being utilized, and by who. Something that integrates seamlessly within the fabric of our organizations, including all the tools developers use from planning to production. Until now, this was wishful thinking.

But with the emergence of ASPM, security teams (for the first time ever!) get code-to-cloud visibility across tooling, processes, and operational environments like cloud platforms, containers, and physical infrastructure.  The result? A true risk picture and a complete decision support capability.

In a recent article, Cycode demonstrated a clear understanding of just how important this is. “Complete” ASPM platforms will offer a full suite of native application security scanning tools including SCA, SAST, Secrets Scanning, CI/CD Security, and IaC scanning…and connectors that allow organizations to integrate with third-party tools. It’s a game-changer.

Lesson #2: The key to delivering security as a component of quality is moving swiftly from insight-to-action

Security is an integral component of delivering high-quality applications. But too often, developers lack the tools and processes needed to move effectively from insight to remediation, are inundated with alerts, and paralyzed by information overload. Even when they are given tools, they’re generally not developer-friendly or built for the way they work. That automatically puts security teams at a deficit when it comes to engaging the development organization as a key partner. 

As security leaders, we must prioritize the developer experience, and work together to build secure applications.To empower developers to take on ownership of security alongside quality, technology must do more than just detect threats. The ideal tool will:

  • Automatically prioritize threats
  • Offer relevant information into the totality of the risk 
  • Integrate with existing workflows
  • Minimize disruption to development processes 
  • Incentivize developers

With the introduction of ASPM, this is now a reality. 

Platforms pull in risk information from all aspects of the infrastructure and technology code resides in, and automatically prioritize vulnerabilities based on things like impact, severity, proximity, and production. This information helps developers act with confidence, and make the best remedial decisions in-the-moment.The result? Less noise. Fewer false positives. Faster remediation. And better decision support for executives.

Lesson #3: Cyber and business resilience rely on closing the cybersecurity communication gap

CISOs have to work together with other C-Level executives to ensure security and business resilience. But it’s not easy distilling complex technical information, communicating the efficacy of our security measures, and articulating the need for additional resources.

CEOs in particular juggle an ocean of information, making it essential that the metrics and information we share are not only relevant, but also easily digestible.

This is an especially challenging task when it comes to application security. Given its inherently technical nature and pervasive impact across the entire organization, many security leaders — including myself historically! — struggle to bridge the communication gap. This is where products with executive dashboards come in. 

The best dashboards will act as a Mission Control for your C-Suite. They’ll help visualize the success of organizations’ AppSec programs through a centralized view of security insights, prioritized risk, and widespread adoption of secure practices. 

The bottom line? ASPM represents an exciting and much-needed evolution of traditional Application Security, and is a must-have for organizations that are trying to keep pace with digital transformation, maintain the integrity of code, and combat tool sprawl. 

And I’m not the only one who thinks so. I recently joined other security leaders to explore this new category in more detail at ASPM Nation.