A CISO’s mandate is to empower the business to move forward on key growth initiatives and simultaneously reduce risk. To this end, they must continuously evaluate and weigh the security ramifications of many strategic initiatives, ultimately weighing the potential impact on a company’s:
By focusing on how their security infrastructure helps or hinders delivery on those three fronts, CISOs help drive business success. In today’s landscape, one new area has emerged that is integrally connected to all three of those company dynamics: the use of APIs to fuel innovation.
APIs are essential for companies to support their innovative and revenue-generating digital transformation initiatives. Open banking services, mobile and online services, digital information sharing apps, DoorDash, Uber, PayPal, Spotify, Netflix, Tesla – you name it – they all require APIs to function.
Companies are developing and pushing out APIs faster, and in larger quantities, than ever before. APIs allow companies to build and bring advanced services to market, opening up new avenues of business and revenue streams. Digitalization hastened this trend, and Covid accelerated its implementation. Companies had to quickly deploy remote services for workers and customers and build product integrations to support a myriad of devices – all of which demanded APIs. It’s no wonder that the public API hub Postman hit a record 20 million users earlier this year.
However, because APIs share highly sensitive data with customers, partners, and employees, they have also become a very attractive target for attackers. CISOs have recognized the risk.
According to a new study released by AimPoint Group, W2 Communications, and CISOs Connect, The CISOs Report, Perspectives, Challenges and Plans for 2022 and Beyond, CISOs identified the following as their top IT components needing security improvement:
The faster a business can bring new services to market, the faster the benefits. For some companies (under Covid), speed to market meant the difference between keeping the business up and running versus shutting down operations. API usage ensured that organizations were open for business.
Businesses must always assess the value and the costs in terms of both achieving or losing the speed-to-market race. They must consider the obstacles that could prevent speed to market. In the case of APIs, security threats pose an enormous obstacle. They can slow down rollouts or – even worse – make them untenable.
By protecting APIs from exploitation, companies ensure their ability to drive speed to market, growth opportunities, and the competitive advantage.
Speed to market is an important underlying factor that contributes to an organization’s competitive advantage. As an industry front runner, businesses have an opportunity to gain the lion share of a market and its profits.
In financial services, competitive advantage is a critical business objective, and technology transformation is its core strategic component. FinTech companies have fueled customer expectations, and open banking is right behind them, offering unimaginable innovation and conveniences by easily linking mobile apps to banking accounts.
Banking and financial institutions must stay on the cutting edge of these services to compete and stay relevant. APIs power these capabilities and allow institutions to leapfrog ahead of the competition.
However, security threats and lack of regulatory adherence can compromise successful API implementation and result in costly fines. Businesses must ensure safe passage between the emerging applications and customers’ valuable financial data. APIs represent the access point to PII and other important data assets that attackers target for their own gain and to the detriment of the business.
Without brand reputation, companies lose their competitive advantage. Perhaps of all the areas of business risk, brand reputation is the largest and can have the longest-lasting impact. A positive brand reputation conveys integrity, exudes trust, and engenders customer loyalty.
APIs contribute to services that can enhance a brand’s reputation for being forward-thinking and customer-driven. However, if those APIs become breached, all that goodness dissipates in an instant, replaced by distrust, fear, and customer churn.
Yet increasing and rapid deployment of APIs, combined with APIs’ unique business logic, make securing them complex. Traditional security solutions, such as WAFs and API gateways, might work against basic attacks, but don’t protect against the increasing quantity and complexity of API attacks. Recent research shows that API attack traffic is growing at more than double the pace of overall API traffic.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure protection of their APIs. APIs support the interconnectivity of a company’s crown jewels – the essential and sensitive data that businesses require to deliver their digital goods and services.
Every company that is developing software has become an API-driven company. For API-driven companies, protecting those APIs is no longer a question – it’s simply the cost of doing business in a digitally transformed landscape. Without dedicated API security to protect these crucial connectivity tools, companies put everything at risk – speed to market, competitive advantage, and the brand itself.
Last but not least, CISOs must build a collaborative approach to API security. APIS touch all areas of the business. CISOs need to take an active role in educating teams about their API security initiatives and their importance in reducing the company’s risks. CISOs must provide the answers and insights that empower others to help meet security goals.
CISO after CISO will tell you that creating a strong, cross-functional “security-aware” culture continues to be their number one priority. To generate this security mindset, leaders must prioritize relationships, acknowledge everyone’s contribution to security, and continuously communicate the vital importance of security to achieve overall business objectives.
This article first appeared in Forbes as a Forbes Technology Council contribution.
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
We want to thank our customers, partners and friends for the calls and messages to our team showing your concern and support.