The Cyber5 Podcast

Building and Implementing Security Programs within Fast Growing Technology Companies

Episode 51 | August 04, 2021

In episode 51 of The Cyber5, we are joined by Chris Castaldo. Chris is the Chief Information Security Officer for CrossBeam and has been CISO for a number of emerging technology companies.

 

In this episode, we talk about his newly released book, “Start-Up Secure” and how different growth companies can implement security at different funding stages. He also talks about the reasons security professionals should want to be a start-up CISO at a growing technology company and how success can be defined as a first time CISO. We also talk about how start up companies can avoid ransomware events in a landscape that is not only constantly changing but also gives little advantage for defenders of small and medium sized enterprises.

 

Here are the Two Topics We Cover in This Episode:

1) 4 Security Lessons for Founders of Start-up Technology Companies:

When a B2B company is pre-seed or before Series A funding, customers might have leeway for lax cybersecurity controls. However, after an A round, policies, certifications (SOC2 or ISO27001), procedures will be required to ensure customer data is staying safe. A B2C technology company might not be asked by the public for certifications, but auditors and regulators may. Basic policies include:
 

  1. Single Sign-On or an Okta authentication into applications, cloud, and workstations
  2. Password management implementation (LassPass or OnePassword)
  3. Encryption at rest and transit
  4. Vulnerability scanning

2) Combating Ransomware from The Inside-Out Approach and Integrating Threat Intelligence: 

Blocking and tackling from inside-out to get in front of ransomware is challenging. The simple items to tackle are the following:

  1. Auto-updates for patch management on operating systems
  2. Endpoint Detection and Response products
  3. Proper asset management to have full visibility on all network devices and services

At the point when resilience and compliance controls are in place and an organization can bounce back from an incident in a timely manner, adversary insights via threat intelligence is a logical next step.

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks