If you’re working at a company that doesn’t have a senior security lead or CISO, and you are either in a regulated market or selling to large enterprise clients, your company will need to invest in a security program.
This can be a great opportunity for advancement, a raise, and career growth. Or maybe you’re the CTO or Head of Product and are stuck wearing the security hat for your company. Congratulations, you’ve reached the top – now you just need to execute!
Below is a step-by-step on what you will need to be the security lead for your company:
Step 1: Understand your Market/Client Requirements
There are industry specific guidelines and open source resources you can reference. Chances are your clients are going to tell you what you are going to need. It’s good to point out that in North America the common security standard for a software company is SOC 2. In Europe, and other international countries, it’s ISO 27001/2. Then there are specific frameworks for certain industries – such as FedRAMP for selling into the US Federal Government, HITRUST for selling into US Healthcare.
If your clients don’t require SOC2, ISO 27001/2 etc. – great! Your job just got easier and less costly.
Step 2: Prioritize Your Security Roadmap
Unfortunately, getting certified against a framework costs money, time and resources. You are going to want to get a handle on what your core set of clients are requiring and prioritize from there.
Note: if you are pre-revenue or early-stage, a common strategy is to try and gate your costs as best you can. Depending on what’s required, you can accomplish this a number of ways. Focus early on ensuring your client-facing deliverables around security can be turned around quickly and completely, clearing demonstrating your security posture and future certification roadmap.
The key here is to create a plan and demonstrate what tools and resources you will need to get the job done.
There are three key things you will need:
Step 3: Find a Software Company/Service Provider to Help you Prepare for Certification
When evaluating software, focus on how it gets you where you need to be faster and how it provides an opportunity to scale your InfoSec program.
What not to do: present a plan that contains manual processes that leans on excel, shared folders, etc.
If you don’t know much in the way of security controls, find a product that provides guidance on how to implement them, or secure budget to bring in a consultant.
What to look for:
Step 4: Define Your Process for Responding to Client Security Due-Diligence Requests
Responding to Security Questionnaires:
You can do this in spreadsheets, but that isn’t scalable. Best case is to find a product that links your InfoSec program to the workflow so you can automate it. It can be troubling to buy two different products to execute your InfoSec program and respond to security questionnaires, as you will have to continuously manage both databases. To help enable sales you will also want to produce an assurance document that details your security program.
Audits: capturing evidence, tests, incidents:
You will need a process that defines how you will go about ensuring that the appropriate policies and controls are being followed. Supporting evidentiary documents should be captured and tagged to the specific policies and controls for ease of reference during an audit.
Things to answer:
There you have it. This is a playbook for becoming your company’s security lead: understand your client requirements, plan to scale, and bring in the appropriate resources to get the job done.