How To Convince Your Leadership That API Security Should Be A Priority
4 min read
By Ali Cameron
As a security leader, you know that APIs play a big role in expanding your company’s attack surface. With no set standards for creating them, massive adoption, and bad actors’ commitment to running low-and-slow attacks, APIs have become massive vulnerable points for companies actively participating in the API economy.
This threat isn’t going anywhere — in December of 2022, Salt Security found API attacks were up 400% compared to a few months prior. Despite this trend, less than 50% of companies are discussing the security of APIs at the executive level. This has to change.
If your C-suite is still lagging when it comes to prioritizing API security, here are three steps to help them understand the potential threat to the business from unprotected APIs and the value of implementing a robust API security strategy.
Step 1: Get on the same page as your executives
When you talk to your leaders, it’s important to remember that they care about different things than you do. As a security lead, you want to ensure you have all your bases covered and reduce the attack surface as much as possible. Meanwhile, your C-suite has other priorities. They make decisions based on what sets the business up for success to meet broader objectives around profit, market share, and growth.
To get on the same page, it’s important to bridge the divide and show them how API security supports those goals. These goals could include achieving a shorter time to market, increasing profits, or building customer trust and retention. If you can clearly identify how a comprehensive API security strategy can support these priorities, you’ll be better positioned to get leadership to advocate for it.
Step 2: Map the API security benefits to these leadership goals
More likely than not, your leadership team already understands the value of APIs — they help the business move faster, deliver a competitive advantage, and support innovation — but they have yet to connect the dots between how a secure API ecosystem is better for the business. You can start by aligning the benefits of API security with their business goals.
A comprehensive API security strategy protects your API ecosystem from a breach. This means that the business doesn’t have to suffer financial or reputational damage at the hands of bad actors.
API security makes it safer to leverage the true value of APIs. As such, your company will be able to fully take advantage of the benefits of APIs, thus accelerating time to market and better meeting the needs of customers.
A secure API ecosystem helps build trust with customers. Your customers want to know that their data is secure — so ensuring that your APIs are safe from attack will ensure you can deliver that guarantee, fostering customer trust and loyalty.
Step 3: Share the risks — and make them real for leadership
Numerous stories of companies have succumbed to cyber attacks and breaches that cost them millions of dollars. In fact, in 2022, IBM estimated that the global average cost of a data breach is $4.35 million — and that amount more than doubles to $9.44 million when you look at the United States. Depending on the size of your company, this amount could either bankrupt you or stagnate growth for a significant period of time. Either way, associating the risk with a dollar amount can be a good way of educating your leadership and getting them to pay attention to the need for API security.
Other useful data points could include recent stories of similarly sized companies that have suffered a breach via APIs and how that has impacted the organization. Plus, sharing reputable reports around the vulnerabilities posed by APIs and the value customers now place on security when evaluating digital products (both in the B2B and B2C spaces) can also clarify the value of API security for the C-suite.
Bonus step: Get an advocate on the executive team
If you know that one of your executives has shown an interest in security in the past or there’s a VP you’ve worked with often, talk to them first. It will help to have an ambassador in the room who speaks the same language as the rest of the C-suite and is willing to lend their own perspective to the conversation to help drive your point home.
Embedding a culture of security
Today, companies prioritising security know that to be successful, they need to establish a culture of security within the organization. Where this can fall apart, however, is when leadership isn’t onboard. As such, it’s vital that you have ongoing conversations with your C-suite about the current threats and what your business can do to mitigate them. Doing this regularly will ensure that they are thinking about security more consistently and that you won’t have an uphill battle when it comes time to protect your business against a new attack vector.
Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well suited for writing in the cybersecurity space. She is also a regular writer for Bora.
About Author
