Have you ever stayed awake at night, worrying that a basic phishing attack or buggy code will bring your whole company crashing down?
You’re not alone. The threat of data breaches and malware attacks are real. Ransomware is the latest iteration of hacking. Rather than breaking in to retrieve sensitive data, ransomware aims to lock a company out of its own data, only to demand a ransom for access to the company’s own data. Whether it is a coordinated hack or a basic human error, cyber security failures threaten the life of a tech company.
CTOs invest time and money to prevent cyber security breaches, but when there are so many ways to be attacked, creating an effective security program can be overwhelming. Fortunately, this article will help you sort through some of the major issues associated with security and provide best practices as you make critical cyber security decisions.
CTOs Must Overcome Security Misconceptions
Technology developments in security and compliance grew out of government programs. The Defense Department wanted technology systems that transmitted information privately and securely. And—unlike your CFO—the Defense Department wasn’t counting pennies. So, there’s a bit of a disconnect when technology companies today have to weigh the costs and benefits of security. Security risks are met with uncertainty and doubt. Questions arise, like, “Are we really in danger of an outside attack?” Threats become over-exaggerated, and security becomes underappreciated.
A CTO’s goal is to overcome this misconception and create a company culture that embraces security. The reality is that almost all security breaches stem from human error. Security threats can come from mistakes in information exposure, developer access, and sensitive information access. Regardless of the source of the problem, humans make mistakes, so limiting human error is a major security priority.
Another misconception centers on the conflict between technological advancement and security, suggesting that changes in technology are too fast for security to manage. Though a real challenge exists, the tension between evolving technology and security can be beneficial. These competing interests can force a security team to operate with better functionality and speed, addressing more security risks than ever before.
A strong security culture requires overcoming some common misconceptions, but it also requires regular maintenance. A good analogy here is maintaining physical health. Physical health is not accomplished by a one-and-done visit to the doctor. It requires small investments every day. For example, healthy eating habits, exercise, and smart lifestyle choices all contribute to great physical health. A great security culture is not much different; it has daily routines built into its operation that maintain its fitness in addition to checkups at regular intervals.
It is important to remember that as a security culture is built, the CTO must respect the talents of each department. Engineers should have a relationship with the security structure and training to help create a strong security culture. But their focus should be in—you guessed it—engineering. Respecting the talents of your employees will go a long way in gaining the respect and trust you need for a successful security culture.
A Note on Compliance
Security and compliance are intertwined, so security programs almost always address compliance issues. As you read through threat modeling, be aware that threats can occur through failures in compliance. Legal issues arising from failures to comply with statutes and regulations can create roadblocks and costly hurdles for your company to move through. Contractual compliance issues can cause huge losses in time and money.
A ubiquitous example is the payment card industry’s (PCI) security standards for cardholder data protection. These standards are enacted through a chain of contracts from service providers, partners, vendors, and customers through vendors. Customers in a highly regulated industry will have more specific requirements to do business. Here, regulatory and contractual forces combine to create potential threats to your company. A strong security program will acknowledge and address these concerns as well as internal errors or external attacks.
Threat Modeling as an Approach to Building a Security Structure
One way for a CTO to create a security program is to engage in threat modeling. Opportunities for security breaches are everywhere, but threat modeling can prioritize the most important security risks for your company. Threat modeling is the process of organizing abstract security risks in a structured manner. The main objectives of the assessment identify and address the assets, the threats to those assets, and how those threats can occur. The goal is to bring security consciousness front of mind, giving the CTO the power to minimize risk.
Threat modeling is a functional tool for the CTO. Specifically, the model identifies and scores three main areas: 1) the assets of the organization, 2) the adversaries of the organization, what their objectives are, and how they would be accomplished, and 3) the protections or safeguards built into the organization. The important aspect of the threat model is to create an agreed upon way to measure risk, and the goal is to translate the security or compliance risk into an enumerated, business risk.
A CTO uses this information to build a roadmap to address the concerns identified in the model. A successful roadmap creates measurable goals and projected milestones over time. A successful roadmap can also create an accountability matrix, which empowers leaders to make important security decisions. An accountability matrix removes the onus of ultimate approval from the CTO and gives it to the appropriate level of leadership, creating a system where small security decisions are made by managers and large security decisions are made by the C-suite.
Available Preventative Measures and Remedies
Once threat modeling is complete, the roadmap should provide the guidance to what preventative measures and remedies are available. These may include strong regression testing, controls to check for errors, code review in the development process, automated testing, and live release testing. The security tests are specific to the company’s system, but it is possible to build automation to look for specific problems (i.e., identified threats from threat modeling). As mentioned above, a strong security structure is not a one-step routine. It is a consistent and regular part of the development process.
One best practice in this area is to begin testing for security breaches at the design phase. It is far better (and easier) to find errors before a product goes live, because an identified error at that stage creates exponentially more efficient outcomes. Another common practice is to test your security control techniques. A common mistake that CTOs make is assuming that all security control techniques currently in use actually work. For example, using an SMS 6-digit security code is a very common scheme to achieve “2 factor authentication,” but its effectiveness is questionable when there are multiple ways to access SMS communication.
One of the best skills for a CTO to improve preventative measures is thinking like your adversaries. Though primarily a thought exercise, thinking like your adversaries will allow you to frequently examine the goals and motivations of breaching parties. This process keeps the value of your data top of mind and can guide security implementation.
Your Unique Security Program
The security program that results from threat modeling and mapping are unique to each company. They depend on an organization’s size and structure. At the early stages of company growth, the CTO’s goal is integration or getting security embedded in the culture of the company. When a company has grown and begins thinking long term, the CTO can shift focus to anticipate regulation requirements and prevent new forms of attack. This shift moves your company from engaging in standard industry practices to boasting best industry practices.
The operation of the security program grows as well. CTOs typically begin with the responsibility to handle security entirely, but eventually, security and technology separate into different departments with different skill sets. The CSO and the CTO have different functions, but they should be looking to build a symbiotic relationship. Creating a bridge between these and other departments such as legal, finance, and human resources will maximize the influence of the CTO.
Remember that security is part of the department’s culture, not a checkbox to be marked. It requires cross-departmental communication and integration. It requires the CTO to lead the company with anticipatory thinking and creative, effective procedures that help keep the organization safe from internal and external security threats.