This article was originally published on LinkedIn.
"We hire great people" is something we all hear companies regularly communicate.
How do you feel about a hypothetical company that believes the risk of an information security breach is low largely because they hire good people? In other words, their information security strategy is to hire good people and trust them individually to do the right thing. Maybe they even sign a paper pinky swearing they'll always do what's right.
Let's say this hypothetical company houses some of the most sensitive data about you and your family or company that exists. Your information is passed around via email or attachments inside and outside the company. Information is even passed between teammates via chat tools sometimes. Said information is also accessible, editable and exchangeable between partner/vendor companies in the background. This data is unencrypted when stored (at rest) and when passed around (in transit).
Do you know about companies like this? Is this your company? Is a company like this minding your personal data?
While information security is everyone's responsibility, it is first the responsibility of the company itself. Hiring great people does not alleviate, or defer, the responsibility an organization has to be compliant with information security policies, legislation and industry best practices. If we can't trust a company to do the right thing, why would we value their brand?
"Security first" or "security by design" is a choice. And it must first be the choice of the governing board and company leadership before it will become a reality for employees, partners and vendors. If it is not a top-down, constantly communicated, verifiable expectation, it does not exist.
When initiatives start at the bottom of the company, they risk dying out due to lack of energy, resources, and attention. Sometimes they risk actually burning up the people trying to get the changes implemented as hope turns into apathy. It is the proverbial "fight against the man."
As a Board or Senior Leadership of a company, what is important to you is important to the company. If it isn't, that is a different problem altogether.
For a company to become a security-first focused organization, the declaration of importance, direction, and expected actions must come from Senior Leadership first.
"Folks, effective immediately, we will put security, privacy, and compliance first in our daily operations. This means with every product, service, interaction, and communication, internally and externally, we will consider what must be secured, how it must be secured and under what conditions we must secure it – data, systems, teams, company and client interests inclusive. It is not a task to accomplish and be done. This must be our DNA. It must be our daily lifestyle. And it will take time to get to a proper baseline of competency and time to maintain, evolve and increase it.
From this day forward there will exist training expectations that must be pursued and accomplished monthly, quarterly and annually. Look for them in your Learning Management System (LMS) assignments. All roles, titles, and capacities. No exceptions. Me included.
And from this day forward you will see our CISO take a more prominent role in defining our pursuits, our strategies and validation of our compliance readiness. We as a leadership team choose to proactively educate our teams, protect our assets and behave in a manner expected by our Founders and those who have come before us to build this great company.
Thank you for your commitment to being the best."
Top-down declarations become realities.
Information Security / Regulatory Compliance is a career. And there is a shortage of people who do this type of work. Find them. Hire them. Leverage them. Knowing what you must align to will save you money. Knowing what you need not align to will also save you money.
There are quick determinants to flush out directions, follow-up actions, and investment. The road will not be small, nor easy; though this list will help point you in a direction of what matters, when it matters and to what extent.
You may discover your information security folks want impenetrable castle walls, which eventually mean your employees are unable to use the bathroom in the name of security. An extreme.
You may also discover your engineers want the freedom to use anything at any time for any reason in the name of innovation, digital transformation or being competitive. Probable.
And your business unit leaders? You're expecting them to grow the business, delight the industry and client base. They want to do whatever is necessary and appropriate to meet the goals expected of them as well.
Security, innovation and growth are not mutually exclusive. They must be collaborative and it will require constant, purposeful and involved leadership. Otherwise, it is just theater.
Regulated industries communicate best practices and compliance expectations, which makes it easier to know what matters and what doesn't. Where your time will be spent is determining how tightly to dial up the security requirements on your operation and how they will impact friction, flow, deliverable velocity and value from the organization.
Unregulated industries still have communicated best practices and compliance recommendations. In the absence of all knowledge, ask the following questions of your Chief {Information Officer, Information Security Officer, Product Officer, Technology Officer}:
No one is exempt from information security. No person, role or title. Like leadership and teams, security is a "we" endeavor.
Not all roles in the company have the same requirements. Some roles are specialized while others are more general. Below is a simplification of this idea.
Specialized: Information Security folks may say higher-level things like confidentiality, integrity, and availability. They may roll out policies, procedures and learning courses while facilitating internal and third-party audits. They'll even be discussing Plans of Actions & Milestones (POA&M or POAM) items resultant from audits. They'll need to know frameworks, behaviors, implementations, monitoring methods, and reaction/response ladders and industry standards like NIST-CSF, PCI-DSS, HIPAA and so many more.
Specialized: Engineers who focus on infrastructure, networks, data, and software technology stacks need to know about the what, but more importantly, they need to understand the why and how as they do their work. For example, data encryption at rest and in transit, authorization, and authentication, securing failover infrastructures, hybrid cloud solutions, bring your own device security, separation of duties, least privilege and need-to-know principles. There is more than one way to implement any one of these concepts and Engineers need to know them.
Generalized Awareness: Everyone else.
Whether your company calls them Scrum, Strike, Agile, Product or Project Teams, the team construct used to deliver an idea from inception to conclusion often contains multiple roles and therefore multiple people.
In order to become a security-by-design or security-first company, your teams must be shaped to enable the desired outcome. Which then suggests that an information security/regulatory compliance expert must be included from project inception through the course of the project.
This conversation is less about the recipe for roles and teams and more about the desired outcome. Context-driven teams influenced by desired outcomes.
If the information security people are technical, they may be helpful with design, development, and implementation every step of the way, all day every day. If the information security people are non-technical, they may be more aptly leveraged in a principle-based guidance role during iteration planning, stand-ups, demos and reviews to ensure the project continues to move forward between the fences.
Either way, there must be a full-time champion for the company and clients in terms of privacy, compliance and best practices to achieve the desired outcome.
There are any number of methods to test ongoing compliance. Blind trust. Word of mouth. Internal (infrequent) manual inspection. Third-party annual inspections. Or continuously through automation.
Our typical practice is to identify what attributes of compliance must continually exist, automate those attributes into a series of tests that are called, executed, logged and tagged every time new infrastructure and applications are built. When non-compliance happens, alert someone (as shown below). Otherwise, keep moving. We have some examples in our Github for you to thoughtfully consider.
Continuous delivery pipeline behaviors are not new. Wide-spread awareness and adoption of new concepts takes time to expand across industries, companies, leaders, and teams. As more companies implement continuous delivery principles, more of the things many companies used to exclude because it took too much time, or did perform, but manually in arrears and infrequently, will be automated providing real-time information radiators.
Look for vendors and tools that are API-driven, have a great online community, openly available developer and administrative documentation, as well as, active tool support. These tools enable you to perform automated analysis-refactor loops now versus waiting until later and hoping for the best. It is worth your money to know your risk exposure now.
Hire great people. Cast a vision, communicate desired outcomes, define clear objectives, give them the resources to be successful, give them rules of engagement and stay involved.
Great people make mistakes. And even great people sometimes do not know what to do. Security frameworks help mitigate oversights, mistakes and provide guidance when people are in new, different and complex situations.
