7CTOs hosted an AMA with executive partner at Independent Security Evaluators, Ted Harrington. It was a lively discussion where Ted guided a group of CTOs on how to think like a hacker when assessing security threats to our systems.
During this conversation we touched on the following questions. Click on the links to jump to the time code in the video:
- What are common misconceptions CTOs have about securing their systems?
- As a CTO, how do I educate my C-Suite and my engineering teams on security concerns?
- When is a good time to consider security implications for my app?
- Business requirements vs. Security requirements?
- How your “attack surface” increases when your company acquires another
- How to build the threat model targeting your apps
- What are the characteristics of a CTO who does well to protect their apps
- The ratio of automated attacks and social engineering attacks and the trend
- What is a good cadence for security assessments
We also had a great conversation about penetration testing towards the end.
Chat transcript highlights from the call:
10:20:00 From Jeff: There’s a trade off between security and agility: security necessarily forecloses certain options as it locks out certain information or ways of getting to it. Do you have any thoughts on how to secure systems while still keeping them versatile or agile?
10:21:14 From Nathan: As CTOs, we often have people on our team with the most access to our secure systems. Beyond the technical solutions to application security, how do you teach paranoia and protect the “softer” targets from things like [spear]phishing attacks?
10:26:56 From Petr: Agility also adds a form of chaos or uncertainty and security decisions that were made couple of sprints ago may not be valid few sprints later.
10:27:27 From Richard: @Nathan paranoia should be apart of your teams culture. If they know why they should have a level of paranoia and do not portray that sense then they likely do not care about the product or organization
10:28:12 From Jeff: Agreed. Changing business requirements present a challenge. (Sorry, ET, my mic’s not working.)
10:28:49 From Nathan: Totally agree with that @Richard. Sometimes it’s just difficult teaching people where the line and how to make those judgement calls.
10:41:10 From Petr: How do you determine “good enough” security or “acceptable” level of risk?
10:45:36 From Daniel: Question: what would you say the breakdown between automated digital attacks compared to social engineering and how has that been changing over time?
10:45:54 From Nathan: +1 Daniel
10:45:59 From Richard: +1
10:52:22 From Petr: Security tests/reviews that found nothing are certainly worthless.
About Ted Harrington:
Ted Harrington is Executive Partner at Independent Security Evaluators, the elite organization of security researchers and consultants widely known for being the first company to hack the iPhone. Harrington has been named both Executive of the Year and 40 Under 40, and he is one of the organizers of popular hacking concept IoT Village. Harrington is a Boston Marathon finisher and holds a bachelor’s degree from Georgetown University.
- Website https://www.linkedin.com/in/harringtonted/detail/recent-activity/posts/
- Follow Ted on Twitter https://twitter.com/SecurityTed