“Almost half of the business management team (48 percent) believes that app performance and speed are more important than security, whereas 56 percent of IT management ranked performance and security as equally important. 65 percent of companies say they would be spurred to increase application protection measures only after an end user or customer were negatively affected.”

Go ahead, read that again. Because the trope proves itself valid in just a few data points.

What this says is that more than half of companies rely on a reactive security strategy. That is, security is a low priority until something happens to make it a higher priority. They react to incidents, but they don’t necessarily prepare for them.

News flash: by the time a customer is negatively affected, it’s too late to do much about it. The data is already exfiltrated. Customers are already infected. And the Tweeters have spontaneously generated a hashtag just for you. This is why we promote a proactive approach to security. While we recognize the value in reactive options (hybrid DDoS strategies, for example) when it comes to data and the applications through which it is managed, you need to be thinking ahead and preparing for the inevitable attack.

The misguided prioritizer, then, is a significant threat to application security because the tendency to ditch security in exchange for speed (of operations and the app performance) is still existential.

The dissonance between IT and business management is problematic. IT is still beholden to the business, and budgets are based in part on the bottom line. No profit? No purchasing. Apps are “owned” by business stakeholders, and it is the business that winds up determining priorities. Even if IT has put an emphasis on security, that emphasis can be overridden by a business stakeholder. To be fair, the misguided prioritizer is constrained by budget, too. Which makes this all the more frustrating. With limited operational and financial resources, business stakeholders make decisions based on their priorities—of which security often ranks fairly low.

From the same article:

“Only 25 percent of respondents say their organization is making a significant investment in solutions to prevent application attacks despite awareness of the negative impact of malicious activity (decreased productivity, decline in revenues, lost customers.”

The risk is real, the threat existential, the trope valid. As attackers shift their attention to the soft underbelly of the Internet that are applications, the biggest threat to application security might just be the business.

Prioritize wisely.