Building a Culture of Security Consciousness: Getting a Security Program off the Ground as a ‘Department of One’

Recently, our CEO, Josh Zweig, co-hosted a webinar series with Information Systems Security Association (ISSA). He was joined by Chad Brustin, Director of Security at fin-tech company Finfare, and Jake Bernardes, CISO of Gutsy, to discuss approaching building a security program in SMBs as the first security hire.

At Zip we often talk to, and work with, the businesses at the stage of building a Security ‘Department of One’, referring to organizations at the size and stage where they have made their first dedicated security hire. Those operating security ‘departments of one’ are faced with an exciting, yet challenging road ahead. On one hand, they are joining an organization that recognizes and values the investment a security program and department needs. However, being in this position solo also poses a challenge when it comes to balancing priorities, resources, executing as a single-department, and building buy-in across the business.

In this webinar, our three panelists discussed their experience as security leaders, and provided their perspective on how to effectively run a security program. If you’d like to watch the full webinar, check it out here!

Starting out: what to align before you join, and how to hit the ground running

When an organization chooses to make the investment in a security hire, it is a positive indication they are prioritizing security. As the first hire, it’s important to understand the environment you’re joining, and be aligned with the people and prioritizations of the organization to ensure success on the job.

• Understand and align your purpose and responsibilities: understanding and aligning on what the organization understands the role of the security team to be is important. An organization that is only looking for someone to process third party vendor compliance forms, needs to realign on the holistic and complex role of the security department, who is responsible for communicating security risks across the business. Having these conversations early is key.
• Understand what the current landscape is: ensure you build a clear picture of the current tools, processes and ways of working at the organization. This helps you set expectations of what is achievable and set your own expectations of what work you’ll need to achieve. While uncertainty and change is inevitable (especially when thinking about startups), establishing your starting point is key in building mutual understanding of your starting place, and what a realistic security program can look like.
• Build mutual understanding and trust: during the interview process, establishing trust with your leadership is essential in ensuring your ability to succeed in your role and do your job properly. You want to be certain that leadership is committed to building a security program, trusting you with that responsibility, and advocating for what is right, rather than deprioritizing it when it conflicts with other business needs.

In the role: Key Strategies of Success & Building a culture of security

• Be able to Communicate Risk – our conversation emphasized the important, yet nuanced pf the responsibility of a CISO / security lead: it is your role to communicate risk, and how best to manage and mitigate it. The accountability of risk ultimately sits with the CEO, and it is the role of the security team to ensure that the risk is fully understood. This also doubles down on the importance of having trust and alignment from leaders – they should trust your categorization of risks, and align with your recommendation of how to proceed, believing that it aligns with what’s best for the business.
• Build Ownership, Accountability and Clear Documentation – “If security is everyone’s responsibility it is no one’s”: therefore ensure that everyone is aware of processes, and their role and responsibilities, in being a security conscious business. Is everyone clear on sanctioned applications, the tools that should be used, and who the application manager is? More importantly: does the application owner think they are the application manager?
• Build buy-in across the business – it’s your role to enable people to care about security! Communicate why security matters, educate people in an engaging and accessible way. Find a way to make the world of security relatable to other parts of the business: explain to the Sales team how adherence to compliance frameworks will enable them to sell to a wider audience; show the ops team the time-savings with proper tool sanctioning and change controls; demonstrate to the engineering team they need to patch fewer things retroactively if correct procedures are followed. In this way, your goals become their goals.
• Build alignment between security priorities and business priorities – work with leadership to be aligned on what the business priorities are, and how the security-specific priorities directly feed into them. If a hard conversation or decision arises, being able to explain that risking breaching a compliance framework directly risks the business ability to sell and generate revenue helps keep everyone aligned. Mutual understanding that the security guardrails in place allows the business to move faster and safer helps ensure alignment.

A note on trainings

In people’s busy lives, it can be hard to engage them in training. People are the greatest risk to a business, so investing in an effective and engaging workforce education program is important. Take the time to hold inductions with every new employee, put your face to the security program, and build engagement from the very beginning. When constructing a training program, take into account:

• Chose a format that engages and motivates people - make training engaging and exciting by adding interactive exercises, competitions, or gamification. Frequent bite-size modules can help with engagement. If you can, introducing incentives, like prizes, or gift cards for completion can do wonders for engagement.
• Adding Relevance and Context - exercises should be realistic and relevant. If you’re running a phishing exercise, make it similar to attacks you actually are at risk of, and take the time to make it believable and relevant to the user doing it.
• Reinforce good behavior and don’t punish mistakes – if someone fails a simulation or exercise, it should push you to understand why and adjust their learning journey accordingly. Learning through failure is a good thing, as it shows they’re engaging, and gives you an opportunity to identify vulnerabilities. Secondly, maintaining positive relationships is key - you want people to trust you and turn to you if they’re concerned something bad has happened: demonstrate to them via training you’re not in the blame game.

Looking Forward: How to manage as a team of one: what to outsource and when to scale?

In a department of one, there will inevitably be capacity challenges in trying to balance long-term and short-term work, and executing on the necessary day-to-day tasks, while also carving out time for strategy projects and improvements. In navigating this, consider:

1. Keep your priorities at the forefront, socialize them often, and allocate time to work in line with those priorities – this is not unique to a security department of one, but is an essential principle to remember. When capacity is limited, it’s important to be able to say no to the things that are either out of the scope of your department, or not in line with your security program. Your priorities could shift in response to a new activity or risk, but that should be accounted for.
2. Communicate clearly the priorities you’re working on, and subsequently what is deprioritized – in line with above, and a general theme of this conversation, communicating is key. By clearly communicating what priorities are being focused on, the business can decide if additional resources need to be allocated
3. Shift from working defensively to working offensively – what this looks like, is proactively identifying what takes up time or poses high risk, and shifting your processes to get ahead of it. For instance, if you’re wasting a lot of time with individuals reaching out with questions, consider setting up weekly ‘office hours’. Taking proactive ownership over your time is key in staying on top of things.
4. Identify what should be outsourced and automated – find the tools that can automate repetitive, time consuming tasks. Activities like vendor risk management, compliance management, employee on- and off-boarding are also activities that can easily be automated and outsourced. Your time should be focused on the critical, subjective and difficult work that requires human attention.

A final note on scaling

As a department of one, scaling can take several different forms. The obvious form is in an additional hire. However, scaling through automation and outsourcing is increasingly valuable and impactful. Understanding how you can scale your impact through automation and outsourcing is an essential exercise, that can be both cost-saving, and lead to a higher quality security program. Automations allow for reduced human error, continuous monitoring, and real-time responses, in a manner that a human couldn’t do.

As we’ve emphasized throughout this piece, it’s essential to demonstrate how your work contributes to the value of the business. This will be key when budget and resourcing conversations happening. In establishing this, it will give you greater access to resources and budget to invest in both tools and people.

‍

If you’d like to watch the full webinar, check it out here. To stay up to date on Company news, and future events we’re involved with, follow us on LinkedIn.

Interested in learning more on this topic? Check out our article: What cybersecurity tools do you need to build and effective security strategy? and our other articles here.

‍