7 Keys to building an Enterprise Security Program

By Pritesh Parekh, VP & CSO for Zuora

Security is no longer just about confidentiality, integrity, and availability - reactively defending your company. Security professionals need to take a more proactive approach to complete organisational security and a broader view towards improving business value through best-of-class security practices. Pritesh Parekh, VP & CSO for Zuora outlines the seven key considerations for building out a comprehensive security program.

Whether you offer a free or paid service, to 100 or 10 million customers, consumers rightly have an expectation of security. In order to ensure that you’re satisfying your security obligations as a business, you need to build out a complete security program in full consideration of the following seven key factors.

1. 360-degree view of your security program. An effective security program must include people, process, and technology across the entire organisation. To develop a well-rounded security program, you start by defining pillars of protection and building a consistent set of policies and procedures across all pillars. For a mid-sized company, you might define the following four pillars:

  • Infrastructure security pillar. This pillar is all of the systems and network that run your internal and external products and services. This should include security of your software defined networks, your virtual instances that are running the cloud, the network devices that you're running, etc.
  • Product security. As you're building your product and your services, you need to improve security as part of the product life cycle. Examples include security of your core and continuously testing your product and services.
  • Corporate and personnel security. This is the security of your business processes, business application, endpoints, and employee security awareness.
  • Compliance and privacy. These are the laws, regulations, and industry compliance requirements with which you need to comply.

For all security pillars, there is a common set of global policies and procedures and risk management and governance framework. The goal is to build strong trust within your organisation and with your customers and partners.

2. Understand compliance obligations. Compliance requirements can impact on how you deliver services to your customers. For example, if you offer your services in Europe and collect personal information of EU citizens, you need to understand the new Privacy Shield. Once you understand your compliance obligations, you can incorporate these requirements into your security program and also embed these requirements into your product life cycle. Continuous monitoring of your security controls using automation is going to be the key in maintaining your security program, your compliance requirements, and scaling your program.

3. Simplify your security stack. In the last few years, companies have become very cautious in terms of security, investing a lot in security by adding many security tools and technologies to their stack. The challenge now is that security stacks have become overloaded.

For example, look at the Target compromise that happened a couple of years back during which Target said that they were alerted to the intrusion, but the alert was buried beneath thousands of other alerts, preventing them from seeing it and responding in a timely fashion. Be extremely selective when adding tools and technology in order to keep your stack as simple as possible. When you do add new security tools and technology, make sure they're effective, adding value to your secondary program -- and make sure these tools are fine tuned, tested, and optimized to minimize the false positive.

4. Continuous security and monitoring.
Companies have moved to an agile rapid development and deployment life cycle, adopting a DevOps practice wherein the development and operations team work in collaboration to rapidly release product or services -- in many cases, releasing products and services as often as several times a day. In this environment, the traditional gatekeeper approach to security can no longer scale.

Instead, security needs to be embedded in every step of the product life cycle. Developers, architects, and product managers, should be trained in security best practices and equipped with the right set of security tools and technology to make security decisions. Automation is going to be key for continuous integration of security within the release process.

5. Culture of security. Security needs to be embedded as part of your corporate culture, including frequent targeted training depending that is role dependent -- in other words, a developer should receive different training than a marketing team member. Security should be very visible to all employees so that everyone feels like security is their responsibility. Because the threat landscape is so rapidly changing, security training has to be a continuous engagement, not merely an annual training. I recommend conducting regular phishing tests and other social engineering tests to see how employees respond in real-life situations. You can then use the results of these tests to feed back into your security training program.

6. Prioritise proactive hunting. The goal is to find security flaws before hackers do. Perform continuous security testing from your infrastructure to your endpoints. Make sure all your information assets are in scope for testing and engage skilled third-party testers to perform comprehensive code reviews and security testing for all services. Manage and prioritise security remediation efforts using a risk-based approach. If you find a security flaw, use this as feedback for developer training.

7. Breach and incident response plan. Sometimes, even when you’ve done all the right things and followed all the right steps, there may still be a data breach. During a data breach there is a lot of stress and some teams may panic. To prepare, you need to have a breach preparedness playbook that has a step-by-step guide for data breach response. This playbook should be tested and all stakeholders should be trained on how to respond. Also consider having retainers with third-party forensic consultants who can provide additional support.

I hope what I’ve conveyed here is that security should never be an afterthought, or a stand-alone discipline. Your security program can’t be developed in a vacuum. To develop a truly successful security program, you need to inject security awareness and processes and procedures into every aspect of your business - and likewise need to encourage outside-in feedback throughout the organisation in order to continuously strengthen your security program. In this way, security isn’t an add-on but an actual driving function of your organisation.

Join the CSO newsletter!

Error: Please check your email address.

Tags enterprise security managementcomplainceDevopsproduct securityprivacyZuora

More about CSOEUZuora

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Pritesh Parekh

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts