Aligning Teams

00:00

All right. Welcome. Teoh Module for this is less than 4.1. We're gonna be talking about aligning teams to help improve vulnerability management.

00:09

All right, so we're learning objectives here. We're gonna talk about how members of the security team can work together more efficiently to hate to aid in that vulnerability management process.

00:19

We're gonna talk about how infrastructure in security can combine efforts that will really help improve efficiency as well, bringing developers into the security conversation super crucial on. Then again, how executive leadership can partner with security management and some of the other teams to improve those vulnerability management processes,

00:37

arts or security team.

00:39

So if you have a smaller organization, uh, might be You may just have I tear helped us. You might just have, ah, a few people on your helped us that are doing help desk and, you know, systems administration, maybe network engineering as well. Um, maybe they need to go to training, maybe, uh,

00:56

send them. Sending them to security training could help them understand,

01:00

uh, how to create a more secure environment, you know, kind of from the ground up. And as the business is growing, they can also help continue in that security role, and I t roll and help to train others on the team. As you grow

01:12

medium to large, large sort

01:15

medium to large sized organizations, make sure your teams are communicating. You might have a lot of teams, so make sure that they're communicating efficiently and often. Um, I S e's and s's so should work really well together. You know, they should be sharing report, sharing vulnerabilities, talking about what's most important,

01:34

uh,

01:36

that that combination, especially if you're in a larger organization having those open lines of communication can really help to improve your vulnerability management practice,

01:46

encourage transparency and vulnerabilities and issues. I feel like there's still the stigma around talking about Oh my gosh, least we've got this critical vulnerability. Don't tell anybody

01:56

talk about it. Because if we talk about it, we know about it. We can fix it. Uh, that's the only way that we're gonna be able to resolve those issues. And, you know, in one of the previous slides, we talked about how you know about 1/3 of the organists are 1/3 of the people in the survey knew that there was a vulnerability environment. They didn't do anything about it.

02:14

You maybe, maybe if we communicate that to leadership

02:16

and leadership asked for that communication, we can make sure we have that transparency and could say, Yeah, we got this vulnerability we got We got to get this knocked out

02:25

infrastructure 19. Um,

02:29

I feel like sometimes I see the sticks disconnect between I T and Security, where I t infrastructure teams. They're really focused on technical refreshes or focused on projects. Software development brings security into that conversation. Have them come to your weekly meetings,

02:46

doesn't have to be weekly, maybe even monthly. Just haven't come to your project updates.

02:52

That way they can ask questions and be involved early on, which alleviates that extra overhead that extra budget that extra time that you're adding to that project that project that scope creep. So finding that balance between security and functionality helps toe have both teams involved from the onset

03:09

documentation. I know lots of I T and security people, lots of technical people that don't want to do the documentation. It's hard. It takes a lot of time, especially away from other projects. Eso maybe hire a technical writer and Maybe you could hire one on a contract basis that you could say, Hey, I need these five documents,

03:28

you know, Come in. Let's do this. Maybe you can't afford one full time.

03:30

That's okay. You can hire a contract one to come in and just kind of help you get on understanding of what you've got going on in the environment.

03:38

On developers,

03:40

Uh, it's

03:44

it's getting more prevalent, but it's still difficult sometimes to include security early on when they're developing those those products. They're developing that software,

03:53

uh, request gate reviews and request that security be involved before those *** reviews. So a week before the gate review say, Hey, here's my code. Can you check this out? Let's let's get Let's get to the gate review and actually discuss anything that you found her. Let's fix,

04:08

um, maybe send your developers to security training. Maybe if they don't quite understand the importance of security. Or maybe they don't have time Or, you know, maybe it's not part of what they're doing. Send them to training and say, Hey, you know, let's learn how to develop this code securely. So that way we don't We don't even by the time we get to security were already good to go. Um,

04:29

and of course, uh, using security tools before code goes out. Security spot bugs. There's a lot of great security tools out there that you can use. Some are free, some you have to pay for. But, uh, using those security tools from a developer standpoint can really help them just constantly integrate security practices into their code development.

04:49

So executive leadership,

04:51

you know, staying involved, knowing what's going on in those with those programmers, what they're doing with their code development before you're starting a new project before you're saying, Hey, we need to do this. We need to get this software built. We need to update this. Whatever have all the teams involved bring them into that conversation?

05:09

Ah, hire a vulnerability mission. Sme. Um, you have worked as like a security liaison before where I worked between a security team in a 19 team on mostly only I t side, but to help bring security in so and the software developers, and so we could kind of all work together and figure out what

05:27

everyone's priorities were and then to help kind of align those goals so that we were all working together

05:31

to improve vulnerability. Management Ancic over also security in the organization.

05:39

So today we talked about how to align security teams in small or large organizations.

05:46

How I t teams can collaborate more effectively with security. I think that's a really big take away, making sure that your team's air communicating and working all together,

05:56

how to improve security and why it's so important in code development on then how executive leadership can really improve vulnerability management by aligning those teams on getting them to work together.