State of Application Strategy: Who Should Drive Your API Security Strategy

There are at least three good answers and some not so good ones.

Strategy, particularly when it comes to technology, is often laid on the shoulders of executives. When it comes to security-related strategies, that's often the CISO or, if there is no such role, the CIO.

But some organizations delegate responsibility for driving API security strategies to other roles. Developers, SREs, and even network professionals might own the strategy for securing APIs today.

Perhaps that's because there's no real research into what the results of those decisions might be. There are, after all, good reasons for developers to drive an API security strategy, just as there are good reasons to lay that responsibility on everyone who might touch an API is some way, whether during development, testing, or production.

In our recent research digging into API security, we asked each of our respondents-all API security decision makers-which roles in their organization were responsible for driving API security strategy. We found a mix of responses, from developers to network professionals to cross-organizational approaches.

But we also asked some nitty-gritty details about the types of security services organizations use to secure APIs. These are services like DDoS protection, access control, mTLS, and SSL. We used deployment of these services as a tangible representation of strategic execution because they are some of the controls needed to enforce policies derived from a security strategy. Then we looked at which of those services were deployed based on who drives API security strategy.

Quite frankly, we were stunned by the results.