Building Enterprise Security Through Trust and Visibility
By Pritesh Parekh
Zuora VP & CSO
Information is at the heart of today’s modern businesses, which is why now, more than ever, security professionals need to take a proactive approach to security to protect this valuable asset.
The first step to defining your security strategy is to determine how much your organization should be investing in security. To make this determination, evaluate your compliance requirements (legal, regulatory, and industry), your exposure to business risk and the financial impact of a breach, and your business and sales drivers (i.e. is a strong security program the kind of competitive advantage you need to win business). This is a collaborative effort, wherein you’re providing visibility into your security plans while accessing insight into all areas of your organization.
Once you’ve evaluated these criteria and calculated your security investment, you’re ready to define your security strategy, keeping in mind:
- Business alignment. Your security vision, mission, and goals should be in alignment with your overall business objectives. Your goal is to support your business, not stand separate from it.
- Phased approach. When it comes to building out your security program, start small. Set a foundation of a small set of security controls and then build out from there.
- Defense-in-depth. If you have multiple security layers, then, even if one layer is compromised, your information will still be protected.
With your security strategy in place, you’re ready to build out your program bearing in mind these top considerations:
1. 360-degree security program view. The most effective security programs encompass people, process and technology across the entire organization. Start by defining what I like to call “pillars of protection” and then build a consistent set of policies, procedures and governance framework across these pillars. For example:
- Infrastructure security. The systems and network that run your internal and external products and services. This should include security of your networks, your virtual instances running the cloud, the network devices that you're running, etc.
- Product security. As you build out your product and your services, constantly be improving security as part of the product life cycle. This includes such things as continuous testing of your products and services.
- Corporate and personnel security. Security of your business processes, business application, endpoints, and employee security awareness.
- Compliance and privacy. Relevant laws, regulations, and industry compliance requirements.
2. Be clear on compliance obligations. How you’re able to deliver services to your customers will be dependent on compliance requirements. So you’ll need to incorporate compliance requirements into your product lifecycle and security program.
3. Simplify your stack. Security stacks are overloaded. Organizations are so concerned with security, that they’re adding too many security tools to their technology stack. Try to keep your stack simple, by being very thoughtful when adding new tools, ensuring that they will add real value to your overall security program.
4. Continuous security. Security should be embedded in every single step along the product lifecycle. Traditional security can’t scale in a rapid product release cycle, so security can’t just be the gatekeepers. Instead, developers, architects, and product managers, should be trained in security best practices and equipped with the necessary tools and technology to make smart security decisions.
5. Building a security culture. Every employee within an organization should feel that they are responsible for security. And every employee should receive continuous targeted security training.
6. Proactive hunting. You want to find any security flaws before a hacker does. This requires ongoing security testing from infrastructure to endpoints. And don’t just rely on internal testing; engage third-party testers as well.
7. Breach and incident response plan. Even when you do everything right, you still may face a data breach. You should prepare in advance for such an unwelcome event by developing a breach preparedness playbook that provides step-by-step instructions for your response.
If nothing else, the main takeaway here is to be proactive. Security should never be an afterthought, nor can it stand alone within an organization. A successful security program requires buy-in, planning and continuous improvement. By building a clear security plan and providing visibility into it, you build organizational confidence. When your company stands behind its security program, security becomes a driving function, protecting your customers and your organization.
Zuora VP CSO, Pritesh Parekh, was recently recognized as a finalist in the ISE® West Executive Awards 2016 along with Jason Lish from Charles Schwab, Darren Challey from Expedia, and Saikat Maiti from Personal Capital. During the Executive Forum, Pritesh delivered a succinct presentation on how security professionals can take a more proactive approach to building a comprehensive security program. Click here to view the presentation.