Information is at the heart of today’s modern businesses, which is why now, more than ever, security professionals need to take a proactive approach to security to protect this valuable asset.

The first step to defining your security strategy is to determine how much your organization should be investing in security. To make this determination, evaluate your compliance requirements (legal, regulatory, and industry), your exposure to business risk and the financial impact of a breach, and your business and sales drivers (i.e. is a strong security program the kind of competitive advantage you need to win business). This is a collaborative effort, wherein you’re providing visibility into your security plans while accessing insight into all areas of your organization.

Once you’ve evaluated these criteria and calculated your security investment, you’re ready to define your security strategy, keeping in mind:

• Business alignment. Your security vision, mission, and goals should be in alignment with your overall business objectives. Your goal is to support your business, not stand separate from it.
• Phased approach. When it comes to building out your security program, start small. Set a foundation of a small set of security controls and then build out from there.
• Defense-in-depth. If you have multiple security layers, then, even if one layer is compromised, your information will still be protected.

With your security strategy in place, you’re ready to build out your program bearing in mind these top considerations:

1. 360-degree security program view. The most effective security programs encompass people, process and technology across the entire organization. Start by defining what I like to call “pillars of protection” and then build a consistent set of policies, procedures and governance framework across these pillars. For example:

• Infrastructure security. The systems and network that run your internal and external products and services. This should include security of your networks, your virtual instances running the cloud, the network devices that you’re running, etc.
• Product security. As you build out your product and your services, constantly be improving security as part of the product life cycle. This includes such things as continuous testing of your products and services.
• Corporate and personnel security. Security of your business processes, business application, endpoints, and employee security awareness.
• Compliance and privacy. Relevant laws, regulations, and industry compliance requirements.

2. Be clear on compliance obligations. How you’re able to deliver services to your customers will be dependent on compliance requirements. So you’ll need to incorporate compliance requirements into your product lifecycle and security program.

3. Simplify your stack. Security stacks are overloaded. Organizations are so concerned with security, that they’re adding too many security tools to their technology stack. Try to keep your stack simple, by being very thoughtful when adding new tools, ensuring that they will add real value to your overall security program.

4. Continuous security. Security should be embedded in every single step along the product lifecycle. Traditional security can’t scale in a rapid product release cycle, so security can’t just be the gatekeepers. Instead, developers, architects, and product managers, should be trained in security best practices and equipped with the necessary tools and technology to make smart security decisions.

5. Building a security culture. Every employee within an organization should feel that they are responsible for security. And every employee should receive continuous targeted security training.

6. Proactive hunting. You want to find any security flaws before a hacker does. This requires ongoing security testing from infrastructure to endpoints. And don’t just rely on internal testing; engage third-party testers as well.

7. Breach and incident response plan. Even when you do everything right, you still may face a data breach. You should prepare in advance for such an unwelcome event by developing a breach preparedness playbook that provides step-by-step instructions for your response.

If nothing else, the main takeaway here is to be proactive. Security should never be an afterthought, nor can it stand alone within an organization. A successful security program requires buy-in, planning and continuous improvement. By building a clear security plan and providing visibility into it, you build organizational confidence. When your company stands behind its security program, security becomes a driving function, protecting your customers and your organization.

Zuora VP CSO, Pritesh Parekh, was recently recognized as a finalist in the ISE® West Executive Awards 2016 along with Jason Lish from Charles Schwab, Darren Challey from Expedia, and Saikat Maiti from Personal Capital. During the Executive Forum, Pritesh delivered a succinct presentation on how security professionals can take a more proactive approach to building a comprehensive security program. Click here to view the presentation.

The post Building Enterprise Security Through Trust and Visibility appeared first on Security Current.

It’s impossible to build out a really strong IT security program without the solid foundation of a great security team. Pritesh Parekh, VP and CSO of Zuora, winner of the 2016 SC Magazine Award for Best Security Team, shares his best practices for structuring, hiring and managing a high-performing security team that will effectively execute on your security roadmap.

Here are the essentials for building a cohesive team that continually rises to the challenge of protecting your company:

#1: Building your security strategy

Start by understanding how much you need to invest in your security program. These calculations should be based on your legal, regulatory, industry compliance requirements as well as your exposure to business risks. Once you understand your business goals and know how much you need to invest, you can start to build out your security strategy in phases. Start with a small set of security controls to address business risk and construct a baseline upon which you can build. And make sure to incorporate a defense-in-depth approach whereby you have multiple layers of security.

#2: Defining the key functional areas of your security program

The foundation of your security program needs to be the functional areas that you need to support. At Zuora, we identified five key functional areas that were essential to a well-rounded program:

• Infrastructure Security – Responsible for the security, integrity and confidentiality of all of our customer information.
• Product Security – Secures our product/services and also is responsible for integrating security into our software development life cycle process (SDLC), empowering engineers, architects and product managers with security tools and training so that they can make security decisions.
• Compliance, Privacy and Risk Management – Oversees all regulatory and industry requirements such as PCI, SOC1/2, HIPAA, ISO 27001, and other certification/ attestations.
• Internal IT and Business Applications – Oversees security of endpoints, physical security, business systems, and applications. It also has the responsibility of security awareness for the entire organization.
• Field Security – Works with prospects, customers, sales, and our legal team as part of the sales cycle to close security issues for enterprise customer deals and provide feedback from our Customers and Prospects. This is the most outward-facing functional area.

#3: Staffing your security team

Before fully staffing, start by hiring leaders with deep domain knowledge who can run each functional pillar. We looked for leaders with complementary backgrounds – e.g. a leader in infrastructure with an operations background – to take on head roles for each functional area.

Candidates should demonstrate a passion for security overall. Equally important are candidates with the right mindset to fit your culture. In our case, we looked for individuals who were collaborative, transparent, open and unquestionably trustworthy. We also looked for strong leadership skills because when you’re running cross-functional projects and working with virtual team members, leadership is essential. The right leader will make essential decisions, take ownership over their functional area, and eventually build out their own teams.

Once you have strong leaders in each security project area, scaling is a natural next step. Team leaders should have the authority to build out their own teams, as dictated by ongoing risk assessments. Each leader should have clear quarterly goals, with measurement criteria and feedback loop from stakeholders. Leaders are then empowered to take full accountability, continuously raise the bar, and emphasize excellence for their teams.

#4: Creating and managing your security roadmap

Many large security programs have dedicated program management functions to support projects. We don’t. On our team, all team members (even technical team members) are responsible for their own end-to-end program management.

So we can better keep track of all of our many projects, we created a security roadmap to serve as our “everything resource.” This dashboard provides almost real-time insight into all of our security projects, by area, including relevant team members, top risks, resource allocation, and overall investment. Literally every detail is captured on our security roadmap – even the vacation schedules of every single security team member.

When everyone is able to measure the success of their projects in real time using our shared dashboard, we are able to execute at the highest level of efficiency. This dashboard adds structure and clarity to our work and this operational efficiency means that we can all focus on the main question of “How can we achieve on our goals?”

#5: Integrating the security function with the rest of your organization

Every function across Zuora – including engineering, tech ops, sales and marketing, legal, product, finance, HR – integrates with our security team on a regular basis. Our security team looks to the entire organization to help us identify risks, set priorities, and define our overall security mission and strategy.

This leads to a technology aspect 360-degree view: we aren’t just covering everything from a security perspective, but gaining stronger coverage by focusing on all different disciplines and processes across the organization. Potential attackers know that a security team has the production side covered, so they’ll look for gaps in other areas. With 360-degree coverage, you’re better protected. Plus collaborating cross-functionally helps you earn buy-in and adoption across your organization.

Also important for organizational buy-in is to involve the executive team. Towards this end, we’ve developed a Security Oversight Committee to manage and address top risks, and understand their business impact. This oversight team, which includes members of the executive team, provides transparency into our security risks, what security is doing, and what our competitors are doing.

#6 Measuring your security controls

It’s essential to consistently measure and monitor your security controls. We created a scale against which we continuously evaluate ourselves:

• Baseline – Small set of security controls which are initially put into place.
• Scale – Once you’ve set the baseline, you can build out your program in a controlled fashion.
• Mature – The defined set of controls for what a mature security program looks like for your company – and how you’re going to get there.
• Leader – Understanding industry best practices and looking to other companies who successfully set a high bar with their security programs.

With constant measurement, we can get a reading on where we currently are as we continually strive to achieve leadership in security.

The post 6 Key Steps to Building an Award-Winning Security Team appeared first on Security Current.

In today’s Internet of Things (IoT) world, every device can communicate and be connected to the Internet – from your refrigerator to your lights and cars. IoT’s glitter is often dimmed by legitimate security concerns.

Just as the power of this new technology can make our lives easier and immensely more delightful, IoT put into the wrong hands could lead to very undesirable results. Fortunately, there are principles to be applied that can mitigate risk in our highly connected world.

It seems the security spotlight has been solely focused on data breaches and the resultant loss of privacy and risk of identity theft, but what about the physical and in some cases life-threatening risks at play?

Let’s consider car break-ins in the past and in the future. For a car that isn’t connected to the Internet, its physical security is at risk and customers may bear the loss of an expensive music system or personal valuables. With a connected car, we risk a systemic cybersecurity threat with results potentially as severe as a remote car hijacking with you still in the driver’s seat.

This is just one example of where a lack of security poses life-threatening dangers. As more and more devices around us are connected to the Internet, we become more susceptible to these types of threats.

Risk goes beyond personal as recent incidents, such as the Chrysler Jeep Cherokee hack, pose a threat to customer confidence in a brand as well as financial loss. Chrysler had to physically recall 1.4 million vehicles. And, the substantial impact was felt by the IoT industry as a whole.

Although very real and potentially life-threatening, these problems can be solved and the sector should take action and prove this to skeptical consumers in order for the industry to continue advancing.

Securing the realm of IoT requires applying two basic principles of information security: strong authentication and secure communication. The current leading solution to apply these principles has existed for decades in the form of Public Key Infrastructure (PKI). PKI is a foundation of trust that enables security by providing strong authentication and encryption services.

Let’s go back to the connected car example. Communication between the car and its connected services requires strong authentication. The car system must not accept commands from a third party without properly ensuring the commands actually came from an authorized user of the car. One way to mitigate this risk is to perform mutual authentication where the car authenticates the service and the service authenticates the car.

In addition to strong mutual authentication, devices need a secure channel to communicate with the service to ensure confidentiality and data integrity. This can be implemented using high-strength encryption protocols between the device and connected services.

Digital certificate and asymmetric encryption technology enables such strong encryption when devices and services are configured to leverage them appropriately. The common technology that enables strong authentication and secure communications leverages PKI.

When you use a computer or phone to connect to an Internet service, such as your email, you normally input a username, password, and in some cases, a token for authentication. Because most IoT devices have a small form factor, they do not possess interfaces such as a keyboard. This is where PKI becomes the solution. With PKI, a device can have a digital certificate installed and managed by a secure service that allows the device to mutually authenticate without further human interaction.

PKI has a number of use cases beyond IoTs, including mutual authentication for APIs, endpoint authentication, and secure remote access to production systems. Although PKI has the potential to solve all of the above considerations, it brings about its own unique set of challenges.

The Internet of Things is a constantly evolving and growing field. The potential volume of devices presents scaling challenges never before encountered, from digital certificate provisioning to validation.

It’s clear that cyber security must unite with physical safety at the top of every IoT company’s primary considerations. The Jeep Cherokee hack wasn’t just a wake-up call for the automobile industry – it was a lesson for all companies with devices that connect to the Internet.

The post IoT Security: Think Beyond Data appeared first on Security Current.