News Stay informed about the latest enterprise technology news and product updates.

CISOs: Application security programs need improvements

There are two hot topics chief information security officers (CISOs) need to address in order to be successful nowadays. First, reexamine your enterprise's application security program. Second, speak in a language that stakeholders understand.

That's the advice Renee Guttmann, vice president of the Office of the CISO at Accuvant Inc. at the time of publication and current CISO at Royal Caribbean Cruise lines, had to offer when she sat down with SearchSecurity at RSA Conference 2015.

First, application security programs.

So much has changed in the way of application security, and Guttmann -- who has seen and spoken with a lot of companies -- said things need to change to keep applications secure.

"I believe we've got to rethink how we do software testing," Guttmann said. "I say that because when I talk to companies, there are a lot of people that think of software testing as website testing. And we've seen that it's not just our websites -- we've been compromised by other systems -- so we have to expand how we do software testing to the larger ecosystem."

Another problem plaguing enterprises when it comes to application security programs is the cloud.

"We have to make sure if we're moving [an application] to the cloud -- if [it] was in the data center and it was sitting behind a Web application firewall and we stick that application in the cloud -- what are the new parameters that are going to protect it?"

application security programsMore advice from Renee Guttmann

Guttmann discusses why channeling your peers and knowing how to tackle stress is critical to making it as a CISO.

Other mission-critical applications -- such as ERP systems -- must also receive the proper security treatment, Guttmann said.

The second area of success involves communicating with stakeholders.

Guttmann shared a story about an e-commerce website she worked on years ago; she helped the company experience an "aha!" moment, one where it finally realized that information security could help protect not only the program used, but also the business -- all without hurting profits.

How did Guttmann get it done? She spoke in a language they understand and remembered to always "tell them a story that makes sense," she said.

View All Videos