In the fall of 2017, I joined Cybrary as the VP of Engineering, and like most startups, everyone here wears many hats. One of mine is the Head of Security. Protecting a rapidly growing company in the cybersecurity space with limited resources and no dedicated security personnel or systems is something I was well prepared for, having spent the prior five years in a similar position at a User and Entity Behavior Analytics (UEBA) startup. So, how does someone with a non-traditional background in security approach the challenges of securing a company like Cybrary without sacrificing speed?My solution is to make security a shared responsibility that is a tenet of the organization. In my capacity as the Head of Technology, I cannot afford the inefficiency of a review, remediate, and approve cycle that comes from having an isolated security team. I have to depend on our team members to make the right decisions in near real-time, including security decisions. Which brings to mind the quote, "A computer lets you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and Tequila" (Mitch Ratcliffe, Technology Review
, April 1992). If I do not want those mistakes to result in breaches, stolen IP, or monetary/reputational damages, then everyone has to have a strong security foundation and mindset. But this applies beyond just Cybrary and startups. To stay ahead, enterprises of all sizes are flattening, dismantling silos, adopting DevSecOps, and leveraging technology more and more. People at all levels must be Security Enabled.To achieve this security-minded culture, everyone at Cybrary must know what I expect of them and understand why. My first step is to apply a fundamental software development technique: divide and conquer. I break security down into four main categories and organize all security-related topics or concerns within them. Once structured, identifying who should take ownership of what becomes clear. Then I work with teams and individuals to outline their role in our shared security model. My four categories are as follows:
Governance/General SecurityThe policies, procedures, and principals governing the overall security posture of the company.
This includes high-level guidelines that provide an "on-the-ground" decision making framework as well as more prescriptive rules and practices such as a BYOD policy. As the Head of Security, I own these and am responsible for ensuring everyone is aware of and adhering to them.
Internal IT SystemsThe hardware and networking infrastructure of the company.
These are the underlying systems that enable people to do their jobs and are distinct from any production, development, or research environments. For example, networking devices, video-teleconferencing equipment, and desktop/laptops. The IT department (or person) is responsible for securing these systems and working with end-users to ensure they are securely maintained and operated.
Corporate Applications & InformationThe desktop applications and SaaS/PaaS services used daily by staff in the course of their jobs.
This includes associated data, records, and work products. The IT department is responsible for configuring and controlling access to these systems, but the individuals using them play the most critical role in ensuring their security.
Secure Application Development & DeploymentThe production application/platform and associated data developed and operated by the company.
At Cybrary, we have a DevSecOps mindset. As such, all of the engineers are responsible for ensuring the overall security of our platform, environments, and deployment pipeline.Breaking down security is the starting point that enables me to identify and work with the right stakeholders. The next steps are to educate team members, to provide them with the right tools, on-going training, and guidance, then to empower them to make decisions. By doing this, I spend more time providing advice and consent than I do chasing people to comply with policies or hunting for security issues that have already been created. Security has become part of the creative, problem-solving process, rather than an obstacle and gating function. We innovate faster because we do not have to revisit bad decisions or unwind poorly implemented, insecure solutions. Mistakes are inevitable, but through Security Enablement, Cybrary reduces risk while accelerating results to our customers.
Watch the interview with Mike Gruen discussing Security Enablement