Reduce Risk, Increase Speed: How Security Enablement Drives Cybrary Forward

July 12, 2019 | Views: 6256

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

In the fall of 2017, I joined Cybrary as the VP of Engineering, and like most startups, everyone here wears many hats. One of mine is the Head of Security. Protecting a rapidly growing company in the cybersecurity space with limited resources and no dedicated security personnel or systems is something I was well prepared for, having spent the prior five years in a similar position at a User and Entity Behavior Analytics (UEBA) startup. So, how does someone with a non-traditional background in security approach the challenges of securing a company like Cybrary without sacrificing speed?

My solution is to make security a shared responsibility that is a tenet of the organization. In my capacity as the Head of Technology, I cannot afford the inefficiency of a review, remediate, and approve cycle that comes from having an isolated security team. I have to depend on our team members to make the right decisions in near real-time, including security decisions. Which brings to mind the quote, “A computer lets you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and Tequila” (Mitch Ratcliffe, Technology Review, April 1992). If I do not want those mistakes to result in breaches, stolen IP, or monetary/reputational damages, then everyone has to have a strong security foundation and mindset. But this applies beyond just Cybrary and startups. To stay ahead, enterprises of all sizes are flattening, dismantling silos, adopting DevSecOps, and leveraging technology more and more. People at all levels must be Security Enabled.

To achieve this security-minded culture, everyone at Cybrary must know what I expect of them and understand why. My first step is to apply a fundamental software development technique: divide and conquer. I break security down into four main categories and organize all security-related topics or concerns within them. Once structured, identifying who should take ownership of what becomes clear. Then I work with teams and individuals to outline their role in our shared security model. My four categories are as follows:

Governance/General Security

The policies, procedures, and principals governing the overall security posture of the company. This includes high-level guidelines that provide an “on-the-ground” decision making framework as well as more prescriptive rules and practices such as a BYOD policy. As the Head of Security, I own these and am responsible for ensuring everyone is aware of and adhering to them.

Internal IT Systems

The hardware and networking infrastructure of the company. These are the underlying systems that enable people to do their jobs and are distinct from any production, development, or research environments. For example, networking devices, video-teleconferencing equipment, and desktop/laptops. The IT department (or person) is responsible for securing these systems and working with end-users to ensure they are securely maintained and operated.

Corporate Applications & Information

The desktop applications and SaaS/PaaS services used daily by staff in the course of their jobs. This includes associated data, records, and work products. The IT department is responsible for configuring and controlling access to these systems, but the individuals using them play the most critical role in ensuring their security.

Secure Application Development & Deployment

The production application/platform and associated data developed and operated by the company. At Cybrary, we have a DevSecOps mindset. As such, all of the engineers are responsible for ensuring the overall security of our platform, environments, and deployment pipeline.

Breaking down security is the starting point that enables me to identify and work with the right stakeholders. The next steps are to educate team members, to provide them with the right tools, on-going training, and guidance, then to empower them to make decisions. By doing this, I spend more time providing advice and consent than I do chasing people to comply with policies or hunting for security issues that have already been created. Security has become part of the creative, problem-solving process, rather than an obstacle and gating function. We innovate faster because we do not have to revisit bad decisions or unwind poorly implemented, insecure solutions. Mistakes are inevitable, but through Security Enablement, Cybrary reduces risk while accelerating results to our customers.

 

Request a Demo of Cybrary’s Security Enablement Platform Today >>

 

 

Watch the interview with Mike Gruen discussing Security Enablement

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
1 Comment
  1. I’m curious as to how the security program’s success is measured, and what it means “in real life” for staff to be empowered to make security decisions. I usually see colleagues who are empowered (if not officially) choose not to implement security “yet”. Tomorrow never comes, so to speak.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel