Security is no longer just about confidentiality, integrity, and availability - reactively defending your company. Security professionals need to take a more proactive approach to complete organisational security and a broader view towards improving business value through best-of-class security practices. Pritesh Parekh, VP & CSO for Zuora outlines the seven key considerations for building out a comprehensive security program.
Whether you offer a free or paid service, to 100 or 10 million customers, consumers rightly have an expectation of security. In order to ensure that you’re satisfying your security obligations as a business, you need to build out a complete security program in full consideration of the following seven key factors.
1. 360-degree view of your security program. An effective security program must include people, process, and technology across the entire organisation. To develop a well-rounded security program, you start by defining pillars of protection and building a consistent set of policies and procedures across all pillars. For a mid-sized company, you might define the following four pillars:
- ●Infrastructure security pillar. This pillar is all of the systems and network that run your internal and external products and services. This should include security of your software defined networks, your virtual instances that are running the cloud, the network devices that you're running, etc.
- ●Product security. As you're building your product and your services, you need to improve security as part of the product life cycle. Examples include security of your core and continuously testing your product and services.
- ●Corporate and personnel security. This is the security of your business processes, business application, endpoints, and employee security awareness.
- ●Compliance and privacy. These are the laws, regulations, and industry compliance requirements with which you need to comply.
For all security pillars, there is a common set of global policies and procedures and risk management and governance framework. The goal is to build strong trust within your organisation and with your customers and partners.
2. Understand compliance obligations. Compliance requirements can impact on how you deliver services to your customers. For example, if you offer your services in Europe and collect personal information of EU citizens, you need to understand the new Privacy Shield. Once you understand your compliance obligations, you can incorporate these requirements into your security program and also embed these requirements into your product life cycle. Continuous monitoring of your security controls using automation is going to be the key in maintaining your security program, your compliance requirements, and scaling your program.
3. Simplify your security stack. In the last few years, companies have become very cautious in terms of security, investing a lot in security by adding many security tools and technologies to their stack. The challenge now is that security stacks have become overloaded.
For example, look at the Target compromise that happened a couple of years back during which Target said that they were alerted to the intrusion, but the alert was buried beneath thousands of other alerts, preventing them from seeing it and responding in a timely fashion. Be extremely selective when adding tools and technology in order to keep your stack as simple as possible. When you do add new security tools and technology, make sure they're effective, adding value to your secondary program -- and make sure these tools are fine tuned, tested, and optimized to minimize the false positive.
4. Continuous security and monitoring. Companies have moved to an agile rapid development and deployment life cycle, adopting a DevOps practice wherein the development and operations team work in collaboration to rapidly release product or services -- in many cases, releasing products and services as often as several times a day. In this environment, the traditional gatekeeper approach to security can no longer scale.
Instead, security needs to be embedded in every step of the product life cycle. Developers, architects, and product managers, should be trained in security best practices and equipped with the right set of security tools and technology to make security decisions. Automation is going to be key for continuous integration of security within the release process.
5. Culture of security. Security needs to be embedded as part of your corporate culture, including frequent targeted training depending that is role dependent -- in other words, a developer should receive different training than a marketing team member. Security should be very visible to all employees so that everyone feels like security is their responsibility. Because the threat landscape is so rapidly changing, security training has to be a continuous engagement, not merely an annual training. I recommend conducting regular phishing tests and other social engineering tests to see how employees respond in real-life situations. You can then use the results of these tests to feed back into your security training program.
6. Prioritise proactive hunting. The goal is to find security flaws before hackers do. Perform continuous security testing from your infrastructure to your endpoints. Make sure all your information assets are in scope for testing and engage skilled third-party testers to perform comprehensive code reviews and security testing for all services. Manage and prioritise security remediation efforts using a risk-based approach. If you find a security flaw, use this as feedback for developer training.
7. Breach and incident response plan. Sometimes, even when you’ve done all the right things and followed all the right steps, there may still be a data breach. During a data breach there is a lot of stress and some teams may panic. To prepare, you need to have a breach preparedness playbook that has a step-by-step guide for data breach response. This playbook should be tested and all stakeholders should be trained on how to respond. Also consider having retainers with third-party forensic consultants who can provide additional support.
I hope what I’ve conveyed here is that security should never be an afterthought, or a stand-alone discipline. Your security program can’t be developed in a vacuum. To develop a truly successful security program, you need to inject security awareness and processes and procedures into every aspect of your business - and likewise need to encourage outside-in feedback throughout the organisation in order to continuously strengthen your security program. In this way, security isn’t an add-on but an actual driving function of your organisation.