Security from Zero Practical Security for Busy People (Eric Higgins) (Z-Library)

📄 File Format: PDF

💾 File Size: 2.9 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

(This page has no text content)

📄 Page 2

Security from Zero A Practical Guide to Security for Busy People Written by Eric Higgins Edited by Nate Murray © 2020 Fullstack.io All rights reserved. No portion of the book manuscript may be reproduced, stored in a retrieval system, or transmitted in any form or by any means beyond the number of purchased copies, except for a single backup or archival copy. The code may be used freely in your projects, commercial or otherwise. The authors and publisher have taken care in preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damagers in connection with or arising out of the use of the information or programs container herein. Published by \newline

📄 Page 3

Contents Book Revision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Join Our Discord Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Bug Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Be notified of updates via Twitter . . . . . . . . . . . . . . . . . . . . . . . . . 1 We’d love to hear from you! . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 What is Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Future-proof Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Goals of this Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Have No Fear, Everything Can Be Fixed . . . . . . . . . . . . . . . . . . . . . 5 Kickstarting Your Security Program . . . . . . . . . . . . . . . . . . . . . . . . . 6 When to Start Thinking About Security . . . . . . . . . . . . . . . . . . . . . 6 Understanding and Identifying Risk . . . . . . . . . . . . . . . . . . . . . . . 7 The stage of your company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Your Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Your Competition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Resources Available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Getting Buy-In and Support from Leadership . . . . . . . . . . . . . . . . . . 11 The Importance of Security Culture . . . . . . . . . . . . . . . . . . . . . . . . . 14 Practices of a Healthy Security Culture . . . . . . . . . . . . . . . . . . . . . 15 Fostering a Culture of Security . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Simple Steps You Can Take Today . . . . . . . . . . . . . . . . . . . . . . . . . 16 Your First Security Hire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 The Skillset You’re Looking For . . . . . . . . . . . . . . . . . . . . . . . . . . 20

📄 Page 4

CONTENTS Relevant Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Setting Them Up For Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Prioritizing the Work: Effort vs Impact . . . . . . . . . . . . . . . . . . . . . . . 26 Level of Effort vs Level of Impact . . . . . . . . . . . . . . . . . . . . . . . . . 26 Borrowing The Fibonacci Scale from Agile . . . . . . . . . . . . . . . . . . . 28 Urgency and Importance: The Eisenhower Matrix . . . . . . . . . . . . . . . 29 Turning off Easy Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Workload Management: Issue tracking . . . . . . . . . . . . . . . . . . . . . . . 32 Keep a List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 File a Ticket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Managing tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Ranking Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Removing Obstacles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Master list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 For your eyes only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Your Data-Driven Security Program . . . . . . . . . . . . . . . . . . . . . . . . . 41 Choosing and Collecting the Right Data . . . . . . . . . . . . . . . . . . . . . 42 Metrics Aren’t Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Making Data-Driven Decisions . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Making Your Data Presentable . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Leveraging Security Frameworks & Questionnaires . . . . . . . . . . . . . . . 53 Regulation and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Lessons from Security Frameworks . . . . . . . . . . . . . . . . . . . . . . . . 61 Keeping Up With New Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 The Business Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Ensuring On-Going Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Tracking Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 CVE: Common Vulnerabilities and Exposures . . . . . . . . . . . . . . . . . 65 Part of Your Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Automate the Boring Stuff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Planning Your Security Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

📄 Page 5

CONTENTS First Year . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Example Budget Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Anticipating Growth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Responding to Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Elementary Schools Have Better Incident Response Than Your Company 74 What is Incident Response? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Non-Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Improvement Through Reflection with Post-Mortems . . . . . . . . . . . . 76 Practice, Practice, Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Continuously Adapt and Improve . . . . . . . . . . . . . . . . . . . . . . . . . 77 Helpful Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Threat Modeling Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Lightweight vs Heavyweight . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 A Lightweight Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Other Threat Modeling Methodologies and Techniques . . . . . . . . . . . . 84 Effective Bug Bounty Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 What is a Bug Bounty Program? . . . . . . . . . . . . . . . . . . . . . . . . . 87 The Most Common Mistake . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 What are the benefits of a Bug Bounty Program? . . . . . . . . . . . . . . . 88 What makes a Bug Bounty Program successful? . . . . . . . . . . . . . . . . 89 Competitor Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Comparison of Bug Bounty Service Providers . . . . . . . . . . . . . . . . . 90 Financial Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Program Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Workflow Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Additional Advice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Security Audits & Penetration Tests . . . . . . . . . . . . . . . . . . . . . . . . . 97 What’s a Security Audit? What’s a Penetration Test? . . . . . . . . . . . . . 98 When Should I Get a Security Review? . . . . . . . . . . . . . . . . . . . . . 99 Frequency and Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Finding Reputable Researchers & Consultants . . . . . . . . . . . . . . . . . 101

📄 Page 6

CONTENTS What About Automated Tools? . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Defining Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Safe Handling Your Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 You Have the Report, Now What? . . . . . . . . . . . . . . . . . . . . . . . . . 103 Least Privilege & Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Practicing the Principle of Least Privilege . . . . . . . . . . . . . . . . . . . . 105 Onboarding & Offboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Trust but Verify with Regular Reviews . . . . . . . . . . . . . . . . . . . . . . 105 Keep it Simple with Identity Management Software . . . . . . . . . . . . . . 106 Limiting Access with a VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Layered Security with Multi-Factor Authentication . . . . . . . . . . . . . . 108 Monitoring & Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Smoke Alarms Detect Smoke, Not Fire . . . . . . . . . . . . . . . . . . . . . . 112 Logging: Your Software’s Paper Trail . . . . . . . . . . . . . . . . . . . . . . . 112 Monitoring for Events and Anomalies . . . . . . . . . . . . . . . . . . . . . . 114 Event-Based Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Modern Infrastructure: Centralized Monitoring for Decentralized Systems 116 Admin Interfaces & Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Responding to Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Threat Modeling Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Effective Bug Bounty Programs . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Least Privilege & Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 121 Monitoring & Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Revision 7 (2020-04-17) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Revision 6 (2020-04-14) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Revision 5 (2020-04-10) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

📄 Page 7

CONTENTS 1 Book Revision Revision 7 - 2020-04-17 Join Our Discord Channel https://newline.co/discord/security¹ Bug Reports If you’d like to report any bugs, typos, or suggestions just email us at:us@fullstack.io. Be notified of updates via Twitter If you’d like to be notified of updates to the book on Twitter, follow us at @full- stackio². We’d love to hear from you! Did you like the book? Did you find it helpful? We’d love to add your face to our list of testimonials on the website! Email us at: us@fullstack.io³. ¹https://newline.co/discord/security ²https://twitter.com/fullstackio ³mailto:us@fullstack.io

📄 Page 8

Introduction I know where you’re coming from, dear reader. I know that your inbox is full, scores of people need your attention, you have thousands of things to do and hundreds of decisions to make. And that’s just today. I get it, I’ve been there, and I know what you’re going through. I want you to know that when I wrote this book, I didn’t just write it with you in mind, I wrote it for you and others like you. Security is inversely proportional to convenience. When you’re starting a new company or trying to grow it, you’ll take any advantage you can get. That often means removing obstacles and trading off security so to give your teams and your company the advantage of velocity. In the short term, this is perfectly reasonable and can be a smart business move. In the long term, it has diminishing returns at best. Your personal experience with security may be colored by overzealous IT depart- ments who rolled out strict measures with little or no notice, or whose inflexible policies led to interruptions and slowed productivity. It doesn’t have to be that way. In this book, I’ll explain some fundamental security measures that you can enable yourself and why they work, without the technical jargon or unnecessary formality. The first thing to understand is that security isn’t a checkbox. It’s not something you can simply tack on and be done with. Security is more like exercise. You’re weaker and more vulnerable without it and it seems hard, it seems like a lot of work and you’re just not sure if you have the time to do it, at least not yet, not today. I’m here to tell you that, just like exercise, security only seems hard. It seems hard because you don’t know when, where, or how to begin. It feels like extra work on top of what you already have to do because it’s not part of your routine. In this book, you’ll learn how to start, one step at a time, and how to incorporate it into the things that you already do so that it becomes routine. Slowly and strategically, you’ll build up a stronger defense and a routine of security that you can move it from something you worry about to something you don’t even have to think about. This is a book of strategy, not a technical book. I wrote this book for entrepreneurs, leaders, and team members who are busy and just need someone to tell them how to protect their investment. This book will tell you how to start a security program,

📄 Page 9

Introduction 2 how to incorporate changes into the things that you already do so that they become routine, and how to use data and metrics to set goals and measure success. It’s not a deep-dive into the nitty-gritty details of network layering, system administrations, or server hardening. This book won’t help you to earn any kind of security certification or badge of honor. Those are things that matter to other people. Instead, this bookwill help you do something much more useful and important: make meaningful changes that will protect your business against threats and the peace of mind that the work you’re doing matters to you. What is Security? Security is a topic that’s both broad and deep. Similar to starting a new hobby, learning about security is very much like going down the rabbit hole, trying to navigate your way around and simultaneously feeling immersed, excited, and lost. This book discusses what can be broadly defined as “cybersecurity”, for which I’ll frequently use “security” as shorthand. Since the term is so overloaded, breaking it down further into smaller focus areas can help you to define roles and areas of responsibility. A few examples of these are: Information Security refers to any information or data that is considered confiden- tial, sensitive, or should only be made available to those authorized. Some examples include intellectual property, internal communications, logins and passwords, cus- tomer data, and financial records. Infrastructure Security deals with the servers, networks, and systems used by an organization and its members. The responsibility for these is often closely aligned with a company’s IT department, but the lines begin to blur with cloud-based systems and services. Product Security applies to a company’s software or hardware products and the ways in which they may create risk for the company or their customers if those products are abused, compromised, or have security bugs. Operational Security are the practices and protocols used by the members of an organization day to day. How a company treats sensitive information internally, plans new products and features, or responds to security-related bugs – these all relate to their operational security. A good example of poor operational security

📄 Page 10

Introduction 3 might be sharing credit card numbers, passwords, or other sensitive information over insecure medium such as email, text, or chat. Physical Security relates to the building or environment in which you’re working, or have some stake in. This covers building and room access, doors, RFID badge systems, security cameras, guards, and the like. There can be plenty of overlap between some of these focus areas. Don’t worry – the point isn’t to define things too strictly. Instead, consider how your teams may need to collaborate and operate cross-functionally, leveraging their strengths to address various security concerns. This approach will help to distribute the work and responsibility more evenly in a way that’s inclusive and that fosters a culture of security, where everyone has the opportunity to contribute and move the needle. Future-proof Security I cannot foresee all the security challenges that your company will face, nor can I create a custom-tailored solution through a book. What I can do is share my experience, explain some common challenges, mistakes, and solutions that I’ve seen over the years. I’ll try to relate complex topics to you in layman’s terms instead of technical jargon, to bring you up to speed more quickly and help you to really grasp why they matter. Any products, software, or services I suggest won’t be exhaustive as the technology continues to evolve at a rapid pace. Tooling will change, and technology will change, but many of the fundamental principles discussed in this book will remain valid for years to come.

📄 Page 11

Goals of this Book The knowledge of the security industry spans decades, so there’s no shortage of books or information in the world. While it’s great to have all of that information available, the breadth and depth of it actually makes it harder to navigate and to know where to begin. Another challenge is that most of the knowledge is written for security experts, or people who are learning to become one. That creates a gap between the information and the folks who could use help, who would benefit from some expertise. This is what I want to clarify in this chapter: that this book is not written for people already in the security industry. It won’t help you to become a security researcher, or be the be-all, end-all guide to security best-practices. This book leans heavily on my own experience working in the tech industry and focuses on the practical things that anyone can do to improve the security of their company. The following lists some core goals of this book. • Guide you through the rabbit hole of security in layman’s terms. • Offer practical advice and explain why it matters. • Follow the best of the best-practices that apply to most companies. • Help readers to think about proactive measures instead of reactive. • Demonstrate how to use data to make decisions. • Explain the business advantages of working on security now. • Measure your current practices as a baseline and set realistic goals you can measure. • Focus on the common mistakes I’ve seen companies make and how to avoid them. • Help you to build a custom-tailored security program that fits your budget and needs. • Raise the baseline of security at start-ups and small businesses without going overboard. • Avoid paying tens of thousands of dollars to consultants.

📄 Page 12

Goals of this Book 5 Have No Fear, Everything Can Be Fixed Most of the marketing employed by the security industry tends to rely on a bit of fear-mongering. It’s easy to sell sensationalism – to say that “everything is broken” and cause a sense of alarm and hopelessness. The purpose of this book is not to impart fear, but knowledge. Informed individuals are less likely to panic when scary things happen. They’re more likely to understand what’s going on and how to respond appropriately. They’re more likely to prepare for and prevent disasters when they understand the real risks they might face. The purpose of this book is to inspire confidence in the reader and an understanding that, despite the overwhelming perception that everything is broken, the future is not doomed because everything can be fixed.

📄 Page 13

Kickstarting Your Security Program When to Start Thinking About Security Too often, it’s not until after a major security incident or data breach that an organization will realize their level of risk and make significant investments into a security program. Something will act as a catalyst that transforms everyone’s priorities. My hope for you, dear reader, is that it’s this book rather than an unexpected event in your workplace. Besides reacting to a breach, there are several factors to consider when deciding if it’s time to think about security. You may need to start sooner if you operate in a heavily regulated industry, the data you collect is more sensitive than usual, or perhaps your company wants a competitive advantage. Generally, the purpose of security efforts are to mitigate or manage risk. So, to that end, you should first understand what your risks are. Let’s consider a contrived example to put things in perspective. The software used to control passenger aircraft must rightfully undergo much more scrutiny than that of a flight simulator video game. The risks are significantly greater for real aircraft. That doesn’t mean that there is no risk for companies that make video games, however. If the game is connected to a player’s bank account for a subscription, or in-game upgrades, then that might motivate malicious actors to compromise those accounts. In these two scenarios, it should be obvious that the company writing software for passenger aircraft needs to put a higher priority on the security of their product while the gaming company can afford to deal with it later as their risks increase. Another important aspect to consider is your customers. Does your company have customers yet? You could spend a lot of time and effort building the most secure product and still have no customers and no income – at that point, what have you

📄 Page 14

Kickstarting Your Security Program 7 accomplished? Conversely, most companies rightly spend most of their early stage acquiring customers and generating revenue. It’s only after you’ve gained enough customers to sustain your company and grow that you should begin to focus on mitigating risks with a security program. However, if the risks to your customers (their communications, work, financial or health records, or their lives) are sufficiently great, then it stands to reason that you should value the trust they’ve placed in your company and put in an equal amount of effort to protect them. Understanding and Identifying Risk Before the security risks to your organization can be identified or measured, let’s first define what we mean by “risk”. Generally, this means any potential threat to the assets that are most important to protect. For example, if you store private information on behalf of or about your customers. If you operate in the financial space, it could bemonetary assets, bank account information, or the ability to transfer funds. Or, it could be intellectual property, such as source code or other materials. It could even be as simple as your company’s reputation, which should not be discounted. Everyone at your company has worked tirelessly to make it successful, hoping to get featured in a major news publication like the New York Times. You don’t want that feature article to be about a major security breach, seriously damaging the customer trust that you’ve worked hard to earn and is even more difficult to regain. Now that we understand what risk means, the big question is what are the most important assets for your company to protect? Depending on your role, you may not be the best person to answer this question. For example, if I were to ask this question to a database administrator, they would likely tell me that their database is the most important asset. That might be true from their perspective, but you’d get a very different answer if you asked the founders, CEO, or CFO. These members of the leadership team have much more a big-picture idea of the state of the company and what’s most critically important to protect. Keep in mind that these critical assets, and the risks to them, will change over time. Maintaining an inventory of these will help you to align the goals and efforts of your security program as it matures with the company.

📄 Page 15

Kickstarting Your Security Program 8 Very early stage companies may not yet have enough customers or data collected to present any substantial risk. That’s OK! Remember that this is just one aspect to consider when trying to decide if now is the right time to focus on security. Even if there is very little risk, the other factors may weigh more heavily in the decision making process. Once you’ve identified your company’s most important assets, then it’s time to think about realistic threats to them. For example, you can ask how big of a deal it would be if a database was deleted, the CEO’s laptop stolen, documents or emails leaked. What you’re looking for is a very general, but plausible, worst-case scenario that can negatively impact the company. Again, document these findings so that you can use it to inform the decision-making process. The question about identifying risk is not about the probability or likelihood of an event happening – that’s a much more difficult question to answer and it typically requires a better understanding of the stage of your company, which we’ll discuss next. The stage of your company The stage of your company plays a pretty important role in answering the question whether or not it’s the right time to focus on a security program. There are a fewways to think about this. The first is, if you are at such an early stage you have almost no customers and everyday feels like a grind just to make sure that the company is going to be in business the following week, then your focus should probably be on ensuring that the company stays viable rather than securing data that you may or may not have yet or building a robust security program. However, if your risks are outsized because of the industry you operate in or if you need a competitive advantage, then even very early stage companies can make a strong case for security. If your company is further along, perhaps you’ve raised a Series A or have more than 100 employees, then it may still feel like it’s too early or that you don’t have enough time, but it could be exactly the right time. Especially if your company is planning on growing or hiring rapidly within the next year, you’ll have an advantage by setting those new employees up for success with some baseline device and account security steps.

📄 Page 16

Kickstarting Your Security Program 9 It’s not uncommon for a company to proceed past the venture capital stage without ever putting a real focus on security best-practices. As I’ve discovered at many places that I’ve worked and with most of my clients, the feeling is often that security concerns have been ignored for too long. Your Industry The industry that your organization operates in plays perhaps one of the biggest roles in determining whether or not you should focus on a security program, especially if you’re in the very early stages of your company. For example, if you work at a healthcare company in the US that’s responsible for maintaining records for patients, then HIPAA compliance (Healthy Insurance Portability and Accountability Act, which define the regulatory standards for the use and disclosure of protected health information) will be critically important from the very beginning. Otherwise, nobody is going to trust your company enough to become a customer. Another example is companies operating the enterprise space or those targeting enterprise companies as customers. These companies tend to take security very seriously because their risks are very high. They might not trust you unless you can demonstrate some level of maturity in your security practices. Very often, their security teams will request to perform their own audit of your product before they will sign off on a contract. If you operate in the finance industry and you’re responsible for maintaining financial records or bank transactions for your customers – whether they are other banks or individuals – they will want to make sure that you are protecting their information. To wrap on with one final example, if you work with local, state, federal, or international government agencies, they can be particularly sensitive to compliance and security. Your Competition Another good reason to start your security program, even in the earlier stages of your company when it feels like it might be premature for anybody else, is simply

📄 Page 17

Kickstarting Your Security Program 10 for the competitive advantage. If you operate in a space where all the competitors seem further along, have more customers, or have more customer trust, then offering the more secure product can help with sales. Typically, this can be a subjective statement, so to make it more objective, you can demonstrate more levels of standard compliance. Some examples include: • PCI DSS: Payment Card Industry Data Security Standard Information security standards for organizationswhich handle, process, or store credit card data. • SOC 2: System and Organization Controls From the American Institute of CPAs, an audit of a service organizations’ security, availability, processing integrity, confidentiality, and privacy controls. • ISO/IEC 27001: Information Security Management Requirements and standards for an information security management system, and the secure management of financial information, intellectual property, employee details, and other sensitive assets. • NIST SP: U.S. National Institute of Standards and Technology Special Publica- tions A series of cybersecurity guidelines, recommendations, technical specifications, and reports. • FISMA: Federal Information Security Management Act A comprehensive security framework to protect government information, operations, and assets against natural or man-made threats. If your company can meet any of these compliance certifications before your competitors, then it will give your sales team something to show to potential customers. This is particularly compelling if you’re selling your product to other businesses, especially at the enterprise level. Resources Available One final consideration is simply understanding what are the resources that are available. Depending on what your security needs are, the resources required could be engineering time to make changes or write security features, dedicated time to run

📄 Page 18

Kickstarting Your Security Program 11 the program, audit systems and write policies, or money to hire consultants, start a bug bounty program, or purchase security software like password managers. It’s crucial to understand what resources you’ll need to accomplish your security goals, so take the time to acquire estimates that you can use to make your case. Some companies choose to be really scrappy, and that’s a valid approach. Anything you can do on a shoestring budget is often better than doing nothing. Just to reiterate I’ve given you a few examples of the things that you’ll need to think about when trying to determine whether or not you should start a security program. If you don’t have the answers to these questions, seek them out and document them so you can weigh the pros and cons. Every company is different, so each factor will carry a different weight – that’s normal. The goal is to find the answers to these questions and start the conversation. Hopefully you’ll come to the right conclusion based on the information available. If after weighing all these factors you do decide that you have a compelling reason to start focusing on security, then the next step is to get buy-in and support from leadership at your company. They’re going to be the key decision-makers who can divert resources and give you the support you need to succeed. Security programs are most successful when you have leadership backing you up and making it clear that these efforts are important to the company and not just to you. That goes a long way when you start to assign work and ask teams for their help down the line. Remember, security programs aren’t just the efforts from one person, but through the cooperation of everyone working towards the same goal. Getting Buy-In and Support from Leadership Next I’d like to give you some advice on how to get buy-in and support from executive leadership. Essentially, these are the decision-makers at your organization who are responsible for dedicating resources towards your security goals. Getting their support is critical, not only to allocate the resources you’ll need, but also to amplify your message about the importance of security throughout the organization. The problem is that these people are very busy and are pulled in a lot of different directions. To make the best use of their time, here are the three questions they’ll want concise and compelling answers to:

📄 Page 19

Kickstarting Your Security Program 12 • What problem do you want to solve? • Why is it important (more important than other work)? • What resources do you need to solve it (time, people, budget)? Making the case for preventative security work can be challenging and is often met with resistance. Usually the missing pieces are the relevant metrics or facts which reinforce your understanding of the risks facing the company (e.g. what might be lost or damaged) and the urgency to do that work now. Some examples of this: You may notice some indication in your server logs that attackers are probing your systems. You may have already experienced a breach. You may be receiving a surge of unsolicited, low-quality security bug reports from unscrupulous researchers demanding payment. Your argument will be more convincing if you can quantify these events into data. Doing so may help you to visually convey a trend — if these events are increasing, then it’s going to become a major problem for your company, if it isn’t already. These types of problems don’t go away on their own – they tend to get worse. The data may help you to realize and communicate the scale of the problem, which can decide if it needs to be addressed immediately and what resources you’ll need to do so. Another approach you can take is to talk to other people in your organization. Members of the sales and support teams are often quite helpful in this regard because they have a direct line of communication to the customers. They’re more likely to hear concern from existing and potential customers about their security concerns. This is especially true if your company sells to enterprise clients. As the sales team pursues larger corporate accounts, part of the contract negotiation will often include a security review by the security teams at the customer’s company. They’ll want to make sure that by signing up for this new service, they’re not creating the potential for their data to be breached. They’ll want some assurance that your company is taking security issues seriously. So, if your sales team is getting enough of these questions from potential clients or they’re losing sales because security is not being taken seriously enough, then that can make a very compelling argument to executive leadership. Once you’ve accumulated enough data to make a convincing argument that action should be taken towards improving your security, executive leadership should feel compelled that this is something that you should be working on. The next question

📄 Page 20

Kickstarting Your Security Program 13 they’re going to ask is about resources — what do you need to solve this problem – you should have and answer ready to go. Depending on how big they perceive the issue to be and how it balances with others that the company might face, you should expect this to be a negotiation. Be prepared to prioritize the work you’d like to do and make some tradeoffs. You should know what the bare-minimum work is and the resources required to actually get it done. This work should reflect the data you presented in your argument. For example, if customers refuse to buy your product or service because it doesn’t offer Multi-Factor-Authentication or Single-Sign-On, then that may be the core features that need to be added. Or, if your support and engineering teams are constantly being interrupted by security-related reports, then it may be time to start a bug bounty program. Whatever the actual work is, it’s important that you understand it well and have a discussion with the team(s) who will be responsible for implementing it, so that you can answer these questions with confidence.