Security breaches are not a novelty anymore. As their numbers increase, directors and boards need to ask themselves "what do I need to know about security in order to keep my organisation safe?" The use of SaaS (Software-as-a-Service) solutions necessitates a cloud security strategy to toughen and shift its focus from respond and defend; towards monitor, prevent and protect.
To help directors and boards answer these questions, and more, we've invited Caroline Wong, Chief Security Strategist at Cobalt.io and Advisory Board Member for RSA Conference, to talk about investing in security, the benefits of pentests, and measures for directors to take in order to address the risks of security breaches in their organisations.
Sherpany: Security is still a subject matter of concern for directors and board of directors. How does it affect the way security issues are handled by and within organisations nowadays?
Caroline Wong: Organisations understand that incidents (security and otherwise) will happen, and they must plan accordingly. This may include deploying technology solutions to constantly monitor and detect incidents. Advanced teams may even run practice incidents (like security fire drills) on a regular basis to keep teams on their toes. This ensures that organisations are familiar with incident response procedures so they can be prepared for if a real event were to occur.
Sherpany: To what degree can a company limit the implementation of its security strategy to its CISOs and/or its IT departments only? How necessary is it to involve the whole organisation, from top to bottom, in this process?
Caroline Wong: Technology doesn’t only affect security and IT teams, and not only security and IT teams have access to sensitive company information and data. For a security strategy to be effective, everyone at the organisation needs to know that it’s a priority, understand their individual responsibility, and be informed on what to do in order to protect whatever it is that the company values (depending on the organisation, this might be customer or payment information, intellectual property, private emails, source code, and other sensitive data).
A minimum baseline for employee security training should cover least privilege, strong passwords, phishing, the importance of software updates, and how to reach the security team if anything looks suspicious (typically email@example.com)
Sherpany: In your career you must have experienced a lot of interesting encounters with directors and board members. Can you share with us a situation in which you had to explain and justify an investment in a security? How did you manage to support it?
Caroline Wong: At eBay, I helped our CISO at the time, Dave Cullinane, to craft a proposal to the executive team which requested a significantly larger investment in the information security function. Dave is a brilliant guy and one of the strategies that I saw him implement was to compare our team’s security budget to that of similar, peer organisations. He was able to do this because he was well connected in the industry and could simply call security leaders up on the phone and ask them to share their budgets with him. He put them all down on a slide and it was clear to eBay’s executives when they saw the discrepancy between how much eBay had previously been investing in security and how much other companies were investing, that a major change needed to occur.
Sherpany: Where do you see the biggest challenge(s) when aligning people, processes, and technology in order to reach an optimal level of security?
Caroline Wong: Security should tell a story that the rest of the business can get on board with and understand. Why is security important to the organisation? What are the potential risks and threats, and what is the plan to address them?
You need to be able to find the proper balance and align your people, processes, and technology accordingly.
I would say one of the biggest challenges I have seen comes with people around alignment. Directors, executives, and security leaders need to be on the same page with regards to security goals for the organisation and a plan to get there. At the board level, it is important to support your security teams and champion security as a priority in message and in action.
Sherpany: There are a lot of buzzwords when it comes to security, especially security testing. Some of these refer to penetration tests, vulnerability scanner, application security etc. What exactly is pentesting? Which companies do it and why?
Caroline Wong: A pentest (also referred to as a penetration test or vulnerability assessment) is a type of manual security testing - meaning that a person is manually going in and checking your app - that provides insight into an application’s overall security by systematically reviewing its features and components. Overall, pentesting helps illuminate, quantify, and qualify the bugs and flaws in an application (web, mobile, API, network, cloud, etc.) by imitating an attacker.
There are several reasons for why a company would perform a pentest. A customer might ask to view the results of a pentest prior to doing business. Some companies align pentesting with major feature releases or use them as periodic checkups to discover what kinds of vulnerabilities have slipped through the development process. Other companies are subjected to regulatory compliance requirements such as Data Protection, PCI, and SOC that force them to perform testing on a continuous basis. However, the overarching reason for pentesting is to keep companies data and assets protected, whether that is customer data, employee data, healthcare records, financial information, etc.
Sherpany: Security tests provide great feedback for the engineers' department, but how can directors and boards in their turn interpret and act on, for example, findings of a penetration test?
Caroline Wong: Many board members would find it interesting to watch a demo of how the most critical vulnerability identified during a penetration test can be exploited. Ask your security team to explain this to you, and show you what could happen if a malicious attacker decided to take advantage of the weakness.
This can help take the information out of a bug tracking system like JIRA or GitHub - when was the last time board members were interested in reviewing tickets? and help the scenario to “come alive” in order to set the stage and provide context for better understanding high level security strategy and investment decisions moving forward.
Sherpany: What are some measures that directors and board members can take to address the risks of security breaches in their organisations? What do you encourage directors and boards to do first and foremost?
Caroline Wong: As is the case with any area of specialised expertise, directors and board members don’t need to become security experts. It is, however, worth the time and investment to ask a security expert about the risks that might impact your organisation and their recommendation on putting a strategy in place to manage these risks.
Just as you would go to a doctor for medical advice or an attorney for legal advice, you can seek out a security consultant or ask your head of security for security advice. Some questions to ask might include:
For more information on Pen Testing as a Service, visit www.cobalt.io