Role: The Backbone
For executive leadership: here's how to safely delegate and still support your application security initiative.
As an executive leader of your company, you are ultimately accountable for application security. I know that. You know that. This deep dive on the Backbone role clarifies what you can safely delegate and where your team needs your support.
Who is the Backbone?
The Backbone is one of six roles within the AppSec Ownership Model and refers to:
Everyone steering the company at the highest level.
This includes:
Any C-suite roles
CISOs
This is of course not an exhaustive list. Anyway, within the model, they are all grouped together because from an AppSec point of view, their contribution and accountability is pretty similar.
What AppSec domains does the Backbone own?
As the Backbone, you need to focus on two AppSec domains:
Security Strategy | Own strategic direction, ensure alignment with business goals, and make final decisions on investment and risk.
Security Culture | Lead by example and embed security into organizational values.
You will need to find an AppSec lead to own your AppSec initiative at an operational level. They should be enabled and trusted to come up with a solid security strategy, but the final decision is yours.
In addition, you must be serious about AppSec yourself, otherwise your AppSec lead has no chance to shape and nurture a good security culture.
Now that you see the bigger picture, let’s make accountability explicit.
What is the Backbone accountable for?
Here’s what you can hold yourself accountable for:
Approving the overall security strategy and investment decisions.
Supporting the AppSec lead with clear mandate and organizational backing.
Ensuring that security priorities are reflected in business planning and governance.
Leading by example and reinforcing security culture through visible commitment.
Taking responsibility for accepted risk at organizational level.
What should the Backbone delegate?
Here’s what you should delegate:
Defining technical security standards or tooling.
Managing day-to-day application security execution.
Performing reviews, risk ratings, or technical assessments.
Communicating directly with product teams on implementation details.
Who does the Backbone work with?
As the Backbone, there are only two roles you need to work with regularly:
Owner (e.g., AppSec lead) | For strategic alignment and decision preparation.
Gatekeeper (e.g., project leaders) | For prioritization and risk visibility within projects.
You may also work with your security champions (Advocate) indirectly by enabling a culture that values their contributions.
The Backbone is one of six roles within the AppSec Ownership Model, which defines clear accountability for everyone involved in developing secure software.