If you’re working at a company that doesn’t have a senior security lead or CISO, and you are either in a regulated market or selling to large enterprise clients, your company will need to invest in a security program. At the helm of the security program needs a cyber security expert.
How to Become a Cyber Security Expert
Learning new skills that have a clear hole in a company can be a great opportunity for advancement, a raise, and career growth. Not only will this directly help you in your future, but your company will thank you for it as well. Or maybe you’re the CTO or Head of Product and are stuck wearing the security hat for your company. Congratulations, you’ve reached the top – now you just need to execute!
Below is a step-by-step on what you will need to be the security expert for your company:
Step 1: Understand Your Market/Client Requirements
To be a cybersecurity expert, it’s important to know your market and clients well. That comes with experience, but there are industry specific guidelines and open source resources you can reference. Chances are your clients are going to tell you what you are going to need. It’s good to point out that in North America the common security standard for a software company is SOC 2. Internationally, specifically in Europe and other countries, it’s ISO 27001. Then there are specific frameworks for certain industries – such as FedRAMP for selling into the US Federal Government, HITRUST for selling into US Healthcare.
If your clients don’t require SOC2, ISO 27001/2 etc. – great! Your job just got easier and less costly.
[Read More: What is SOC 2?]
Step 2: Prioritize Your Security Roadmap
Unfortunately, getting certified against a framework costs money, time and resources. You are going to want to get a handle on what your core set of clients are requiring and prioritize from there.
Note: if you are pre-revenue or early-stage, a common strategy is to try and gate your costs as best you can. Depending on what’s required, you can accomplish this a number of ways. Focus early on ensuring your client-facing deliverables around security can be turned around quickly and completely, clearly demonstrating your security posture and future certification roadmap.
The key is to create a plan and demonstrate what tools and resources you will need to get the job done.
There are three key things you will need to roadmap your security protocols:
- Domain expertise to create the required policies, controls and roadmap to certification.
- Resources to implement the required framework.
- Tools to help automate and scale your InfoSec program.
Step 3: Find a Software Company/Service Provider to Help You Prepare for Certification
When evaluating software, focus on how it gets you where you need to be faster and most comprehensively. Also think about how it provides an opportunity to scale your InfoSec program.
What not to do: present a plan that contains manual processes that leans on excel, shared folders, etc. For most security protocols and guidelines, the time to complete can be quite demanding, especially with other priorities. Make sure that anything that can be automated is automated.
If you don’t know much in the way of security controls, find a product that provides guidance on how to implement them, or secure a budget to bring in a consultant.
What to look for:
- Automation – identify how the product can help you successfully scale your program.
- Domain Expertise – identify how the product can help supplement your team’s security background. Current, Pre-written list of policies and controls that are linked in a common database/system of record, containing implementation guidance is a good start.
- Certification – identify how the product can get you certified as quickly and confidently as possible.
- Policy awareness training for your staff.
Step 4: Define Your Process for Responding to Client Security Due-Diligence Requests
Responding to Security Questionnaires:
You can do this in spreadsheets, but that isn’t scalable. Best case is to find a product that links your InfoSec program to the workflow so you can automate it. It can be troubling to buy two different products to execute your InfoSec program and respond to security questionnaires, as you will have to continuously manage both databases. To help enable sales, you will also want to produce an assurance document that details your security program.
Audits – capturing evidence, tests, incidents:
You will need a process that defines how you will go about ensuring that the appropriate policies and controls are being followed. Supporting evidentiary documents should be captured and tagged to the specific policies and controls for ease of reference during an audit.
Things to answer:
- Who is responsible to do what security controls, and when?
- Where is proof that the control has been implemented?
- Is the data stored in a central place that is convenient to show to auditors?
- There you have it. This is a playbook for becoming your company’s security lead: understand your client requirements, plan to scale, and bring in the appropriate resources to get the job done.
PS: Looking for more tips on becoming a cybersecurity expert? Try downloading our Security Best Practices for Startups.