Over a million developers have joined DZone.

When We Are Told That API Security Investments Will Affect Profitability

DZone's Guide to

When We Are Told That API Security Investments Will Affect Profitability

It's cheaper and easier to invest in API security now than it will be after your company has been hacked and its data has been taken.

· Security Zone ·
Free Resource

Learning by doing is more effective than learning by watching - that’s why Codebashing offers a hands-on interactive training platform in 10 major programming languages. Learn more about AppSec training for enterprise developers.

I was listening to Mark Zuckerberg talk about how security investments will affect the platforms profitability on the Facebook earnings call this last week. This line of thinking sounds pretty consistent with what I’m hearing from other folks when it comes to why they haven’t been investing more in their API security. My challenge for this line of thought is about shutting down proactive security investments and does not speak of responsive security investments–meaning after you’ve had a breach, or when there is another security investment. From a leadership perspective, this view of security just doesn’t do it for me, and I’d push back, and require it be considered what profitability will look like if we do not invest properly in security.

Viewing security in this way is common. It is also a short-sighted view of security, in the name of profits today over the health of a platform down the road. It demonstrates that leadership is more focused on profits than whatever the platform is actually doing. I would add that I think this line of thinking reflects a perspective of leadership that is out of sync with the technical details of operating a platform, and the current threat landscape. I get that a company has to be profitable and that it is the job of the CEO to represent the investors, but after Equifax, and the many other breaches, as well as what I’m seeing on the ground at companies I’m talking to, it is pretty clear that things are out of whack when it comes to overall security investment.

I work with a lot of folks who want to invest in API security more, but they just don’t have the resources. I’ve been in leadership roles where I’ve had my hands tied when it came to decisions around infrastructure to deliver on PCI, and other compliance, as well as being able to hire security focused talent. This type of thought regarding security practices tends to make investors and other leadership happy but is corrosive to the actual health of operations. This stuff shouldn’t be about profits or security, it should be about doing what is needed for security, then making assessments regarding how that impacts the bottom line. Security shouldn’t be polarized like this, and it should reflect proactive, as well as responsive costs, as well as practices.

This isn’t a technology of API security story, this is a politics of API security story. This type of response and tone from leadership is something that the majority of my readers will experience when trying to grow their API security efforts. Investment in API security will continue to be a challenge for most companies, organizations, institutions, and government agencies in the coming years. As I do with other stops along the API lifecycle, I’m going to spend more time developing stories to push back on leadership - telling stories about investments in security. My goal is to have a toolbox of examples to help educate the people making security investment decisions that investment in API security now will pay off later, and cost a lot less than investment in API security after the fact.

Find out how CxSAST can help you scan uncompiled and unbuilt code while identifying hundreds of security vulnerabilities in the most prevalent coding languages.

security ,api security ,security compliance ,cybersecurity

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}