Chaim Mazal is the director of global information security at ActiveCampaign.
Twelve years ago, I started my career in security as a network analyst before quickly moving into penetration testing and ultimately landing in application-specific security. Due to the fast pace of the businesses I’ve worked for, my security experience has had to rapidly evolve. In my roles, I have learned how to be an innovator who could bring structure to the chaos to make a security program succeed.
Having built security programs at three of the five largest startups in Chicago—all of them focused on rapid growth—I have learned the factors that make a security program successful in these environments. Every aspect of a startup must be adaptive due to continuous, dynamic changes within the business, and security is no different.
In order to build a security team that matched the pace of the other segments of the organization, I had to learn how to keep agility top-of-mind while still providing insight into risk and risk reduction across the entire organization. I am sharing my insights to help those who, like me, have had to learn to be adaptive in order to keep their organization’s business goals in mind while implementing a security program that can successfully mitigate risk.
Move from a hard ‘no’ to flexible success criteria
In a traditional security environment, everything is focused on hard and defined criteria. Security analysts define risks and the solutions to mitigate those risks, then implement those solutions—no ifs, ands, or buts. This traditional approach lacks flexibility, and while this rigidity may lead to an extremely safe ecosystem, these hard stops have now become impediments to business growth and innovation. This is especially true in startup environments in which rapid growth is the name of the game and everything has to be negotiable to move toward that goal.
Many security professionals are nervous about building flexibility into their security programs because they worry they won’t have the power to stop vulnerabilities and truly mitigate risk. However, having more flexible success criteria for the security program allows the organization to effectively implement the program without hindering the organization’s ability to deliver its product, especially when it comes to software.
Get organizational buy-in
The key to establishing this type of agility in your security ecosystem is to create a culture of ownership among not only your security team but all teams across the entire organization. When other segments of the business feel they have to buy in to the security program, you can ensure your guidelines are acceptable to business stakeholders to remediate or address security threats on an ongoing basis.
For example, patch management has traditionally been a particularly rigid area in security. Most companies’ patch management programs are defined by extremely strict SLAs, and there’s no room to consider nuances when remediating vulnerabilities. This often means that other teams within the organization just dump all the vulnerabilities on IT or infrastructure and expect them to implement patches without any collaboration or communication.
At my organization, ActiveCampaign, teams work with IT and DevOps to find the appropriate resources within the security team. For example, some issues require personnel who are skilled at mapping dependencies or remediating/upgrading systems in order to remove the various vulnerabilities that have been identified directly. By assigning a security team member with a broader understanding of the business’s overall goals and a deeper understanding of DevOps, my team can find a way to solve the problem without disrupting other business operations.
Every member of the technical team is encouraged to facilitate and guide remediations as an equal player, and security isn’t siloed. This makes us less of a wall and more of a wire that moves throughout the organization to address vulnerabilities in a more flexible way.
Build the right security team and choose the right security tools
In my experience, security is quickly moving from a compliance or reporting function to an engineering function. It is important to keep this in mind when hiring new members of your team. I have personally worked to hire a security team in which members can all roll up their sleeves and work alongside our software developers or DevOps engineers as engineers.
The security team should be a guiding light and serve to offer recommendations to the broader organization. At the same time, every team member has to be able to sit back and understand the business so they can explain how the security plan fits into the unified goals of the company.
Another way our security team has adapted is by gaining real-time visibility into our ever-changing assets. To do that, we use Rapid7’s InsightVM to identify assets that aren’t monitored by agents so that we can deploy new agents to track those assets dynamically. Other vulnerability assessment tools aren’t nearly as flexible and make it harder to keep track of what has coverage and what doesn’t. Because it’s built for the cloud, InsightVM helps us scale at a fast pace in order to deploy and identify everything as we grow.
Keep upper management in the loop
In order to get buy-in from the entire organization, it’s important that we stay in constant communication with executive leadership. As the leader of your security team, you have to be able to clearly assert and align the value of your program to the business values of the broader organization. If you can’t speak management’s language, you won’t be able to get buy-in and your security team will never achieve equality, even within the technical organization.
Security can have very real benefits to the bottom line of the organization. If my security team wants to set up a web application firewall, we know that blocking bots can save us up to 25% on bandwidth costs every month. If the VP of engineering hears that we can save on our Amazon Web Services costs by implementing a new security tool, it becomes a priority. When key leadership views security as a consumer value instead of an incumbent cost on the business, you gain a level of flexibility that gives the security team a lot more traction.
Pass security value onto clients
At the end of the day, what’s important to customers is what’s important to our business. Securing them is what drives our business and should drive your security program. Customers entrust us with their data, and we have an obligation to do everything within our power to secure that data—not only at a compliance level, but to also ensure we have complete control over all data transactions at all times.
Translating the value of security to the organization at large doesn’t have to be difficult. For instance, at ActiveCampaign, we have enterprise-level clientele who take security very seriously. In order to continue to exceed our year-over-year revenue projections, we have to ensure those clients understand our internal security efforts. We produce security questionnaires that are filled out regularly and not only track compliance programs, but also outline additional innovative measures we take as a company, such as an internal red team, that show we are going above and beyond in terms of keeping client data safe.
By building a flexible security team that takes ownership of not just finding vulnerabilities, but also leading the organization in defining and assisting in executing remediation processes, you can better serve both your business and customers. In our view, this is a win for everyone