Application security as a culture
How to counter agile adversaries
Your public-facing applications are a prime target for bad actors. They outnumber security teams and have countless hours to spend on breaching your applications, so a compromise is not a question. It’s a near certainty.
How can you counter these adversaries? The answer is to embed security into all company activities—from the front desk to the corner office—while understanding which applications are most critical to the business. We call this approach “application security as a culture.”
To assess your current security culture or begin investing in a new one, start with these two questions:
1. Who is responsible for security?
If the answer is “the security team” or “the CISO,” your organization may be poised for a breach or other incident. That’s because security is most effective when it’s baked into all processes—and the minds of all employees and suppliers.
To embed this culture, remember that security awareness is an ongoing journey. Start by investing in proper security training, modeling best practices at the highest levels of the organization, empowering all employees to operate securely, and holding third parties accountable for security.
Place special emphasis on application development teams, and consider appointing “champions” to liaise between security professionals and developers. To minimize risk in the development process, these security experts can advise on best practices for managing vulnerabilities. They can also interpret guidance from security teams into a language that developers can understand and act upon.
2. What is most important to your organization?
In addition to weaving security into all activities, keep in mind that not all public-facing applications will need the same level of scrutiny and protection, because they don’t have the same criticality.
The art of cybersecurity is about risk management, not risk elimination, so it’s important to determine which risks you can accept and which you can manage—based on your company’s strategy, operations, and mission-critical assets.
To prioritize your application security, consider the following as a starting point:
| Ask: | Examples: |
|---|---|
| Which applications does your business rely on to operate its core functions? |
|
| Which applications could, if breached, cause substantial brand or reputational damage, potentially landing your company on the news or in front of Congress? |
|
| Do you have applications that might at first glance seem unimportant, but are integrated with business-critical applications or systems? |
|
Progressive companies are focusing on application security as a culture, backed by a smart process for prioritizing and quantifying cyber risks. That’s how you can have confidence that you’re investing appropriately in security—and protecting your future in a volatile world.
How KPMG can help
KPMG offers end-to-end security testing as an outcome based managed service, helping you consistently validate controls while minimizing remediation efforts. That’s because business transformation is not a fixed destination; it’s an ongoing journey. With managed services, we can help you continually evolve your business functions to keep up with ever-changing targets, while driving outcomes like cost reduction, resilience, and stakeholder trust.
Meet our team
