When We Are Told That API Security Investments Will Affect Profitability

I was listening to Mark Zuckerberg talk about how security investments will affect the platforms profitability on the Facebook earnings call this last week. This line of thinking sounds pretty consistent with what I’m hearing from other folks when it comes to why they haven’t been investing more into their API security. My challenge for this line of thought is about shutting down proactive security investments, and does not speak of responsive security investments–meaning after you’ve had a breach, or when there is other security investment. From a leadership perspective this view of security just doesn’t do it for me, and I’d push back, and require it consider what profitability will look like if we do not invest properly in security.

Viewing security in this way is common. It is also a short-sighted view of security, in the name of profits today, over health of a platform down the road. It demonstrates that leadership is more focused on profits, than whatever the platform focus actually doing. I would add that I think this line of thinking reflects a perspective of leadership that is out of sync with the technical details of operating a platform, and the current threat landscape. I get that a company has to be profitable, and that it is the job of the CEO is to represent the investors, but after Equifax, and the many other breaches, as well as what I’m seeing on the ground at companies I’m talking to, it is pretty clear that things are out of whack when it comes to overall security investment.

I work with a lot of folks who want to invest in API security more, but they just don’t have the resources. I’ve been in leadership roles where I’ve had my hands tied when it came to decisions around infrastructure to deliver on PCI, and other compliance, as well as being able to hire security focused talent. This type of thought regarding security practices tends to make investors and other leadership happy, but is corrosive to the actual health of operations. This stuff shouldn’t be about profits or security, it should be about doing what is needed for security, then making assessments regarding how that impacts the bottom line. Security shouldn’t be polarized like this, and it should reflect proactive, as well as responsive costs, as well as practices.

This isn’t a technology of API security story, this is a politics of API security story. This type of response and tone from leadership is something that the majority of my readers will experience when trying to grow their API security efforts. Investment in API security will continue to be a challenge for most companies, organizations, institutions, and government agencies in coming years. As I do with other stops along the API life cycle, I’m going to spend more time developing stories to push back on leadership telling stories about investments in security. My goal is to have a toolbox of examples to help educate the people making security investment decisions that investment in API security now, will pay off later, and cost a lot less than investment in API security after the fact.