Why APIs Should Be A C-Level Concern

What is your favorite API? I was asked this question about a year ago, and my first reaction was to respond, "API? Favorite? No idea." Then I thought about how much I dislike entering my credit card number on all of the sites where I do holiday and back-to-school shopping and how the familiar yellow and blue PayPal button at checkout always evokes such relief. I never thought about that cool feature as an API, yet I love that API!

Similarly, you probably don't instinctively think "API." Almost nobody does except the developers who are creating new unique digital experiences for their audiences. However, APIs are everywhere and are the connective tissue of the internet. In fact, in early 2019, they represented 83% of the total internet traffic. Next, they're poised to power the metaverse market, which is predicted to be worth $678.8 billion by 2030.

Some talk about the API economy, where APIs are hot commodities that developers can use to enrich their applications. They help make these applications seamless—just a few clicks away from task completion, a transaction or a project. They help these applications delight their users so that they return over and over again and spread the word to their families, friends and colleagues. APIs drive the development of the best digital interfaces to help organizations become ultra-competitive in their field. They're the backbone of an organization's digital business, as they bring connectivity between a company and its suppliers, customers, employees, investors and more. Today, APIs can catalyze both business innovation and customer convenience.

While APIs are growing exponentially, API management that helps design, test, run, control and secure them doesn't seem to be considered critical infrastructure. Engineering managers make these decisions with architects' and platform engineers' approval. Very few at the C-level are involved in this critical choice. Should this be different?

API security is rising to be the top attack vector.

Gartner Inc. predicted that by 2022, the number one attack vector would not be zero-day threats or identity but APIs due to their exponential growth and the fact that they are often unmanaged and limited through open-source software that has little to no embedded security. However, breaches like the one Optus fell victim to are not rare anymore, and hackers are ready to exploit weaknesses in API infrastructures that do not focus on encryption, authentication, authorization or secrets management.

Developers need tools to bring applications to market fast, and in their development process, they generally focus on ease of use, performance and openness. They do not focus on security unless required to. In 2020, 91% of organizations experienced an API security incident. Without the involvement of senior executives when it comes to deciding API management, this figure will continue to rise. CISOs need to ensure that API management emphasizes security so that the risk posture of the organization is improved.

API development and reuse is at the heart of developer productivity.

Developer productivity is not just a metric for heads of engineering; it drives better time to market, and better time to market drives more revenue. In 2020, 90% of developers (19.1 million developers) used APIs. In addition, 69% of them used third-party APIs. The numbers are not surprising and are driving more and more of a need for developer productivity around the use of APIs.

Most organizations are now software development companies racing to bring to market new products on the web or on mobile platforms. The task and focus of the developers is to build the best experience and best application in the shortest time frame. Developers are hired for their skill set in building the logical layer of the application, but that code needs to follow regulatory constraints that their industry is mandating—requiring developers to test their code and make sure it is secure. This means developers have to do these additional tasks on their own and repeat them each time they touch an API; otherwise, they have to submit their code to a centralized "check-in" team before they can release that code. In the first case, errors can increase the risk of a data breach. In the second case, time to market could take a significant hit.

For the sake of productivity, more chief digital officers and CIOs should be involved in ensuring their organization's API management is able to help add the governance step in the coding process, support testing and encourage the reuse of API design across an organization. Ensuring these goals are met could provide a significant improvement in developer productivity while enhancing security and compliance.

API gateways can make or break your web applications' availability.

Few predicted the exponential growth of APIs. Many experienced a fast adoption of Kubernetes and clusterization, helping speed up much of what is being developed. With more transactions, data sharing and collaboration happening digitally, performance and scalability have become some of the most critical items for many companies, big and small. Whether more customers embrace open banking (Statista predicts more than 130 million users of open banking worldwide by 2024) or shop on Black Friday online, applications need to keep up with the high volume of requests via reliance on APIs. More API requests equal more strain on the infrastructure, more chance for unwanted downtime and more risk to the organization top line—necessitating the need for those at the C-level in charge of revenue and customer-facing apps to be involved.

Having been in cybersecurity for many years, I know for certain that it's only a matter of time before CISOs start digging into how APIs are managed and secured internally. However, APIs are not just a risk for an organization's security posture; they are a great opportunity for businesses to be competitive in their industry. The onus is on the C-level executives responsible for the company top line to get involved and ensure they are managed properly.

First Published on Forbes.com on 11/11/2022