real time web analytics
Blogs

Be the Security Lead for Your Company

Mike Chessa, Director of Sales | Tugboat Logic
2019-04-026 min read
InfoSec Best Practices

If you're working at a company that doesn't have a senior security lead or CISO, and you are either in a regulated market or selling to large enterprise clients, your company will need to invest in a security program.

This can be a great opportunity for advancement, a raise, and career growth. Or maybe you’re the CTO or Head of Product and are stuck wearing the security hat for your company. Congratulations, you’ve reached the top – now you just need to execute!

Below is a step-by-step on what you will need to be the security lead for your company:

Step 1: Understand your Market/Client Requirements

There are industry specific guidelines and open source resources you can reference. Chances are your clients are going to tell you what you are going to need. It’s good to point out that in North America the common security standard for a software company is SOC 2. In Europe, and other international countries, it’s ISO27001/2. Then there are specific frameworks for certain industries – such as FedRAMP for selling into the US Federal Government, HITRUST for selling into US Healthcare.

If your clients don’t require SOC2, ISO27001/2 etc. – Great! Your job just got easier and less costly.

Step 2: Prioritize Your Security Roadmap

Unfortunately, getting certified against a framework costs money, time and resources. You are going to want to get a handle on what your core set of clients are requiring and prioritize from there.

Note: if you are pre-revenue or early-stage, a common strategy is to try and gate your costs as best you can. Depending on what’s required, you can accomplish this a number of ways. Focus early on ensuring your client-facing deliverables around security can be turned around quickly and completely, clearing demonstrating your security posture and future certification roadmap.

The key here is to create a plan and demonstrate what tools and resources you will need to get the job done.

There are three key things you will need:

Domain expertise to create the required policies, controls and roadmap to certification.
Resources to implement the required framework.
Tools to help automate and scale your InfoSec program.

Step 3: Find a Software Company/Service Provider to Help you Prepare for Certification

When evaluating software, focus on how it gets you where you need to be faster and how it provides an opportunity to scale your InfoSec program.

What not to do: present a plan that contains manual processes that leans on excel, shared folders, etc.

If you don't know much in the way of security controls, find a product that provides guidance on how to implement them, or secure budget to bring in a consultant.  

What to look for:
Automation – identify how the product can help you successfully scale your program.
Domain Expertise – identify how the product can help supplement your team’s security background. Current, Pre-written list of policies and controls that are linked in a common database / system of record, containing implementation guidance is a good start.
Certification – identify how the product can get you certified as quickly and confidently as possible.
Policy awareness training for your staff.

Step 4: Define Your Process for Responding to Client Security Due-Diligence Requests

Responding to Security Questionnaires: You can do this in spreadsheets, but that isn't scalable. Best case is to find a product that links your InfoSec program to the workflow so you can automate it. It can be troubling to buy two different products to execute your InfoSec program and respond to security questionnaires, as you will have to continuously manage both databases. To help enable sales you will also want to produce an assurance document that details your security program. Audits: capturing evidence, tests, incidents:

You will need a process that defines how you will go about ensuring that the appropriate policies and controls are being followed. Supporting evidentiary documents should be captured and tagged to the specific policies and controls for ease of reference during an audit.

Things to answer:
Who is responsible to do what security controls, and when?
Where is proof that the control has been implemented?
Is the data stored in a central place that is convenient to show to auditors?

There you have it. This is a playbook for becoming your company’s security lead: understand your client requirements, plan to scale, and bring in the appropriate resources to get the job done.

TUGBOAT LOGIC INC. © 2019 - BURLINGAME, CA, USA
,