The Cyber5 Podcast

Building a Security Program for a Fast Growth Technology Company

Episode 49 | July 7, 2021

In episode 49 of The Cyber5, we are joined by Cassio Goldschmidt. Cassio is Senior Director and Chief Information Security Officer at ServiceTitan. We discuss building a security company in late stage tech startups, including what to prioritize when starting a security program. While tech startups have a mantra of “move fast and break things,” Cassio talks about how a security program should enable business and adapt to the culture. He also discussed the pitfalls to avoid when starting a program like this.

 

Here are the 4 Topics We Cover in This Episode:

1) Reasons a Business Starts a Security Program:

It’s critical to understand why a technology company is hiring it’s first Chief Information Security Officer. Typically it’s for one of four reasons:

  1. Compliance: If a company is in a highly regulated industry, a stronger security program is mandatory.
  2. Reputation: Security products, for example, need to have the reputation of safety being core to their business model. 
  3. Breach: Some companies have a breach and the board mandates a stronger security program.
  4. Customer Demand and Losing Business: Competitors use stronger security programs as a business differentiator and oftentimes a security program gives consumers or clients peace of mind that their data is safe.

2) First Initial Priorities of Security Program: 

The growth of the company is important to understand when starting a security program because security professionals need to think about the future of the company tomorrow, not today. New security programs are the “guardians” to secure initiatives, not the “gates.” Key tactical aspects of a security program are:

  1. Assess Risk: Perform a risk assessment to baseline maturity as it stands today. Map out the challenges to fix items that are critical to the business with the understanding the business cannot stop for security initiatives. 
  2. Listen: Engage different parts in the business (sales, marketing, engineering, etc).
  3. Educate: Build a good educational program to train the workforce.

3) Common Pitfalls to Avoid for Initial Security Programs: 

Common pitfalls a CISO is likely to face when starting a security program include: 

  1. Misconfigurations
  2. Poor patch management
  3. Abuse problems (spam)
  4. Not centralizing spear phishing emails
  5. No education towards the workforce on security
  6. Credentials are used in the wild
  7. Weak password policies
  8. Poor onboarding/offboarding policies allowing old accounts to remain active and exposed to the internet
  9. Prioritizing against problems of nation state lateral movement or zero day vulnerabilities when smaller issues can be solved first

4) Enabling Business: “Move Fast But Don’t Break Things”: 

For setting up security programs, security professionals should adopt the mantra of “move fast but don’t break things”. They need to implement their program and remediations, but they must keep constant availability as one of the highest priorities. Other items like red team (penetration testing), blue team (threat hunting), and threat intelligence should be out-sourced initially after the initial remediations from a risk assessment are complete. 

Security professionals should use department budget money like it is their own personal money, not the company’s money. Understanding what the technologies will do for the program and having a way to show success metrics are important to justifying the spend. Dynamic application analyst tools are important for technology companies as these ideally protect the main business technology applications.

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks