It’s impossible to build out a really strong IT security program without the solid foundation of a great security team. Pritesh Parekh, VP and CSO of Zuora, winner of the 2016 SC Magazine Award for Best Security Team, shares his best practices for structuring, hiring and managing a high-performing security team that will effectively execute on your security roadmap.
Here are the essentials for building a cohesive team that continually rises to the challenge of protecting your company:
#1: Building your security strategy
Start by understanding how much you need to invest in your security program. These calculations should be based on your legal, regulatory, industry compliance requirements as well as your exposure to business risks. Once you understand your business goals and know how much you need to invest, you can start to build out your security strategy in phases. Start with a small set of security controls to address business risk and construct a baseline upon which you can build. And make sure to incorporate a defense-in-depth approach whereby you have multiple layers of security.
#2: Defining the key functional areas of your security program
The foundation of your security program needs to be the functional areas that you need to support. At Zuora, we identified five key functional areas that were essential to a well-rounded program:
- Infrastructure Security – Responsible for the security, integrity and confidentiality of all of our customer information.
- Product Security – Secures our product/services and also is responsible for integrating security into our software development life cycle process (SDLC), empowering engineers, architects and product managers with security tools and training so that they can make security decisions.
- Compliance, Privacy and Risk Management – Oversees all regulatory and industry requirements such as PCI, SOC1/2, HIPAA, ISO 27001, and other certification/ attestations.
- Internal IT and Business Applications – Oversees security of endpoints, physical security, business systems, and applications. It also has the responsibility of security awareness for the entire organization.
- Field Security – Works with prospects, customers, sales, and our legal team as part of the sales cycle to close security issues for enterprise customer deals and provide feedback from our Customers and Prospects. This is the most outward-facing functional area.
#3: Staffing your security team
Before fully staffing, start by hiring leaders with deep domain knowledge who can run each functional pillar. We looked for leaders with complementary backgrounds – e.g. a leader in infrastructure with an operations background – to take on head roles for each functional area.
Candidates should demonstrate a passion for security overall. Equally important are candidates with the right mindset to fit your culture. In our case, we looked for individuals who were collaborative, transparent, open and unquestionably trustworthy. We also looked for strong leadership skills because when you’re running cross-functional projects and working with virtual team members, leadership is essential. The right leader will make essential decisions, take ownership over their functional area, and eventually build out their own teams.
Once you have strong leaders in each security project area, scaling is a natural next step. Team leaders should have the authority to build out their own teams, as dictated by ongoing risk assessments. Each leader should have clear quarterly goals, with measurement criteria and feedback loop from stakeholders. Leaders are then empowered to take full accountability, continuously raise the bar, and emphasize excellence for their teams.
#4: Creating and managing your security roadmap
Many large security programs have dedicated program management functions to support projects. We don’t. On our team, all team members (even technical team members) are responsible for their own end-to-end program management.
So we can better keep track of all of our many projects, we created a security roadmap to serve as our “everything resource.” This dashboard provides almost real-time insight into all of our security projects, by area, including relevant team members, top risks, resource allocation, and overall investment. Literally every detail is captured on our security roadmap – even the vacation schedules of every single security team member.
When everyone is able to measure the success of their projects in real time using our shared dashboard, we are able to execute at the highest level of efficiency. This dashboard adds structure and clarity to our work and this operational efficiency means that we can all focus on the main question of “How can we achieve on our goals?”
#5: Integrating the security function with the rest of your organization
Every function across Zuora – including engineering, tech ops, sales and marketing, legal, product, finance, HR – integrates with our security team on a regular basis. Our security team looks to the entire organization to help us identify risks, set priorities, and define our overall security mission and strategy.
This leads to a technology aspect 360-degree view: we aren’t just covering everything from a security perspective, but gaining stronger coverage by focusing on all different disciplines and processes across the organization. Potential attackers know that a security team has the production side covered, so they’ll look for gaps in other areas. With 360-degree coverage, you’re better protected. Plus collaborating cross-functionally helps you earn buy-in and adoption across your organization.
Also important for organizational buy-in is to involve the executive team. Towards this end, we’ve developed a Security Oversight Committee to manage and address top risks, and understand their business impact. This oversight team, which includes members of the executive team, provides transparency into our security risks, what security is doing, and what our competitors are doing.
#6 Measuring your security controls
It’s essential to consistently measure and monitor your security controls. We created a scale against which we continuously evaluate ourselves:
- Baseline – Small set of security controls which are initially put into place.
- Scale – Once you’ve set the baseline, you can build out your program in a controlled fashion.
- Mature – The defined set of controls for what a mature security program looks like for your company – and how you’re going to get there.
- Leader – Understanding industry best practices and looking to other companies who successfully set a high bar with their security programs.
With constant measurement, we can get a reading on where we currently are as we continually strive to achieve leadership in security.