You understand that security isn’t a choice, it’s a must-have. But how do you convince executives that the investment is worthwhile?
A single data breach can bring an organization to its knees. In 2021, the T-Mobile breach cost the company well over $350 million. And this isn’t an isolated incident. Countless other companies have had their reputations shattered and customer trust evaporated overnight due to security lapses.
But you probably already knew that. And, chances are, most of your colleagues have read some version of those stories. So why is it still so hard to get the higher-ups on board with cybersecurity investments? And how can you make a case for proactive mobile app security when revenue and growth dominate the conversation?
Think iOS apps are more secure than Android? We recently found that 93% of the top iOS apps were vulnerable to repackaging. Find out more in our webinar and use it to make a stronger case for mobile app security.
1. Frame mobile app security as a business enabler, not a cost
The first step is to reframe the conversation. Instead of positioning it as a box to check, explain how robust app security directly supports key business priorities. Use outcomes that matter to leadership — protecting customer data and privacy, building brand reputation and loyalty, speeding up app development, and achieving compliance.
Customers are more likely to stick to an organization that prioritizes their data protection and privacy, ultimately contributing to the company’s bottom line.
2. Quantify risks and potential costs of an app security breach
“It won’t happen to me”. Some call it optimism. Others call it the illusion of control. Whatever it is, the result is the same — unpreparedness. So, how do you get through to executives with a habit of downplaying the risks? Make the risks more tangible.
Identify research organizations that are similar in size or market to yours and have experienced security breaches. Use these examples to illustrate the risks and make them more relatable. If you can’t find examples that really hit home, then consider sharing data on the frequency and cost of security incidents. Here are some ideas:
- 92% of companies experienced an application-related breach in 2022.
- The average cost of a data breach was $4.45 million in 2023. In the United States, this cost was even higher, amounting to $9.48 million.
- In the US, the FTC can fine up to $40k per violation.
Find out more about how to quantify your risks and calculate ROI using quantitative and qualitative measures in our recent post — Measuring the cost of insecure mobile apps.
3. Highlight industry standards and regulations
Compliance is a powerful motivator — after all, non-compliance comes with hefty fines! Of course, breaches also lead to higher churn, reputational harm, decreased employee productivity, and a host of other consequences we won’t get into now.
So map out the specific clauses and controls that outline security requirements. For example, GDPR Article 32 requires "pseudonymization and encryption of personal data" and "regular testing, assessing and evaluating" of security measures. PCI-DSS Requirement 6 calls for identifying and patching vulnerabilities, secure coding practices, change control procedures, developer training, and protecting web applications against known attacks.
By integrating app shielding measures like code obfuscation, data encryption, runtime application self-protection (RASP), etc. into your mobile app security strategy, you can achieve compliance a lot more efficiently.
4. Demonstrate alignment with existing security initiatives
When pitching your mobile app security plan to leadership, show how it complements and extends the company’s overall cybersecurity strategy and risk tolerance, starting with high-impact, low-effort initiatives. Emphasize that the longer you wait to invest in mobile app security, the more vulnerabilities will accumulate, and the costlier it will be to fix them.
If your company has a Zero Trust framework, app shielding aligns by securing the endpoint and continuously authenticating users. Invested in a mobile device management (MDM) solution? App shielding provides an additional layer of security beyond what MDM can enforce.
5. Showcase proactive mobile security measures
Now that you've established the “why,” present a clear plan for "how" to secure your mobile apps. Present the specific app shielding measures and technologies you'll use to prevent breaches and protect sensitive data. One key capability is obfuscation which makes your app code harder to reverse engineer using renaming, control flow flattening, and dummy code injection.
Another critical feature is encryption which protects sensitive info like API keys, tokens, and PII at rest and in transit. RASP is also a must-have, as it embeds security sensors directly into the app to detect and block threats like jailbreak/root detection, debugger attachment, and code injection in real time.
6. Partner with internal teams
Partner with internal teams to build buy-in, share resources, and amplify your message. Identify key stakeholders in every department and quantify the benefits with their objectives.
For example, app shielding can be a competitive differentiator for your marketing team, attracting privacy-conscious users. Development teams can benefit from faster release cycles by integrating security into their workflow. Legal can ensure compliance with data privacy regulations and avoid costly violations.
7. Tailor your approach to different executives
- When presenting to the CFO, quantify the risks and potential incident costs. Demonstrate a positive return on security investment (ROSI) and how proactive security is an investment that more than pays for itself.
- For the CIO/CTO, stress on exactly how the proposed solutions mitigate cyber threats, support the overall security architecture, enable innovation, and relieve developers.
- When you meet the CMO, reinforce the customer trust angle and share voice-of-the-customer data on how highly consumers value security. Explain how they can weave it into the brand's values and story.
Conclusion
Your executives have competing priorities and limited resources. Your job is to meet them where they are and show how mobile app security aligns with their goals. Consider what concerns them most and what they need from security to succeed.
Present a clear and persuasive case for investing in mobile app security, highlighting its role in building and maintaining customer trust. There would be follow-up questions and requests for a more detailed plan. Treat these discussions as an ongoing dialogue rather than a one-time pitch. As you gain initial buy-in, focus on quick wins and proving ongoing value. Execs will be more willing to invest more if they see progress and ROI from early initiatives.
Are iOS mobile apps truly more secure than Android because of encryption, no sideloading, sandboxing practices? We recently found that 93% of the top iOS apps were vulnerable to repackaging. Find out more in our webinar to make a strong case for mobile app security.
