The Cyber5 Podcast

Episode 49: The Cyber5 – Building a Security Program for a Fast Growth Technology Company

Episode 49 | July 7, 2021

In episode 49 of The Cyber5, we are joined by Cassio Goldschmidt. Cassio is Senior Director and Chief Information Security Officer at ServiceTitan. We discuss building a security company in late stage tech startups, including what to prioritize when starting a security program. While tech startups have a mantra of “move fast and break things,” Cassio talks about how a security program should enable business and adapt to the culture. He also discussed the pitfalls to avoid when starting a program like this.

Here are the 4 Topics We Cover in This Episode:

1) Reasons a Business Starts a Security Program:

It’s critical to understand why a technology company is hiring it’s first Chief Information Security Officer. Typically it’s for one of four reasons:

  • Compliance: If a company is in a highly regulated industry, a stronger security program is mandatory.
  • Reputation: Security products, for example, need to have the reputation of safety being core to their business model.
  • Breach: Some companies have a breach and the board mandates a stronger security program.
  • Customer Demand and Losing Business: Competitors use stronger security programs as a business differentiator and oftentimes a security program gives consumers or clients peace of mind that their data is safe.

2) First Initial Priorities of Security Program:

The growth of the company is important to understand when starting a security program because security professionals need to think about the future of the company tomorrow, not today. New security programs are the “guardians” to secure initiatives, not the “gates.” Key tactical aspects of a security program are:

  • Assess Risk: Perform a risk assessment to baseline maturity as it stands today. Map out the challenges to fix items that are critical to the business with the understanding the business cannot stop for security initiatives.
  • Listen: Engage different parts in the business (sales, marketing, engineering, etc).
  • Educate: Build a good educational program to train the workforce.

3) Common Pitfalls to Avoid for Initial Security Programs:

Common pitfalls a CISO is likely to face when starting a security program include:

  • Misconfigurations
  • Poor patch management
  • Abuse problems (spam)
  • Not centralizing spear phishing emails
  • No education towards the workforce on security
  • Credentials are used in the wild
  • Weak password policies
  • Poor onboarding/offboarding policies allowing old accounts to remain active and exposed to the internet
  • Prioritizing against problems of nation state lateral movement or zero day vulnerabilities when smaller issues can be solved first

4) Enabling Business: “Move Fast But Don’t Break Things”:

For setting up security programs, security professionals should adopt the mantra of “move fast but don’t break things”. They need to implement their program and remediations, but they must keep constant availability as one of the highest priorities. Other items like red team (penetration testing), blue team (threat hunting), and threat intelligence should be out-sourced initially after the initial remediations from a risk assessment are complete.

Security professionals should use department budget money like it is their own personal money, not the company’s money. Understanding what the technologies will do for the program and having a way to show success metrics are important to justifying the spend. Dynamic application analyst tools are important for technology companies as these ideally protect the main business technology applications.

Adversary Insights℠ RFI Subscription
Timely response to client-specific requests for finished intelligence on cyber and physical risks
OSINT Monitoring & Analysis
Client-specific curation and analysis of dark web, open source, and social media data.
External Attack Surface Monitoring & Analysis
Defense against attacks to your digital perimeter and internal environment
Executive Shield
Discovery of threats to key personnel with attribution and PII takedown
Threat Landscape Assessment
Analysis of external threats to assess level of risk and identify methods of mitigation
Zero Touch Diligence®
Discovery and analysis to assess risk for investments, IPO, M&A, and third parties
Event-Driven Intel Investigation
Multidimensional security fact-finding in response to adversary behavior