On arecent episode of the Confident Defense podcast, host Conor Sherman interviewed Crossbeam CISO and author Chris Castaldo. (Did you catch Symmetry Systems CEO Mohit Tiwari on the podcast in 2021?) Their conversation ranged from the practical to the philosophical, and packed in lessons for both start-up executives and security professionals. Watch the full video below, or read on for some key takeaways from their conversation.
Adopting An “Inside-Out” Security Strategy
Castaldo set out to write his book,Start-Up Secure: Baking Cybersecurity into your Company from Founding to Exit, after observing that the organizations and security teams he worked with over the course of his decades-long career in cybersecurity faced the same problems over and over again. What if the top 10 book recommendations for startup founders included cybersecurity knowledge alongside more commonly discussed topics like product development, go-to-market strategies, and accounting? Castaldo wrote the book to help arm entrepreneurs, founders, and leadership teams with the security knowledge they need to implement security principles from day one, even if they aren’t cybersecurity experts.
“If you work your way out, it’s a lot easier to boil the ocean.”
On the Confident Defense podcast, Castaldo explains his idea of an inside-out approach. The basic premise is to secure the assets, data, and resources you are working with, no matter how small or limited they are at the start. “Most organizations probably have a relatively good idea of where their data lives,” Castaldo said. “So you put controls around the data because we have the advantage of knowing where the attacker is going to go.” From there, Castaldo suggests working your way out to apply security controls within the systems where the data resides, then to the people and processes that access the data through those systems.
“If you work your way out, it’s a lot easier to boil the ocean,” Castaldo said. Applying controls from the inside-out allows security teams to evolve organically in tandem with company growth. Instead of scrambling to build a complex security strategy in response to a regulatory mandate, taking manageable bites from the beginning helps startup founders and executives deal with what they don’t know about cybersecurity.
Even for pre-seed start-up founders, the inside-out approach will help protect whatever assets the company is working with. “You may not have a product yet,” Sherman said, “but you have money, you have a pitch deck, and you have email.” Pre-seed founders should start by protecting those assets, even if they don’t yet have a viable product or sensitive data to work with. Then security controls can expand as the company grows. “Your sales team grows with you,” Castaldo explained. “You don’t start a company and suddenly have SDRs and AEs and account managers and customer success; these all come at certain inflection points. So should security.”
Turning Security Professionals Into Business Leaders
Sherman and Castaldo also discussed the importance of security professionals aligning themselves with — instead of against — other executive-level decision makers. For security leaders to become business leaders, Castaldo suggests zooming out from the day-to-day of cybersecurity work. “The criticality of knowing what’s happening around you is really important to what you’re building in that organization,” Castaldo said.
“Understand the direction the business is going so you can work that into the controls you’re building. Because the business is going to do what it’s going to do if you come along or not. You will just get left behind.”
Understanding what marketing, sales, and HR teams are doing, for example, will help security professionals apply their solutions in a way that moves the business forward instead of holding it back. Castaldo made the case that a security leader’s job is to make critical processes more secure, instead of jumping to replace them wholesale when they’re not already secure. “Understand the direction the business is going so you can work that into the controls you’re building,” Castaldo said. “Because the business is going to do what it’s going to do if you come along or not. You will just get left behind.”
Developing that mutual understanding and spirit of collaboration with other department leaders also helps security professionals assess and manage risk. Instead of making risk the burden of isolated cybersecurity experts operating in a vacuum, every business leader in a company should contribute their unique, unbiased expertise to those decisions. “It’s negotiating, at the end of the day,” said Castaldo. “It’s that back and forth to find where is the reasonable middle for you to get what you want, for me to get what I want, and to make sure the business is accepting the right risks.”
Finding The Right Time To Invest In Cybersecurity
The idea of baking in cybersecurity from day one requires a low-cost or even free approach during those early stages. But at a certain point, every high-growth start-up will need to graduate to more extensive security tools. Castaldo identified a few important indicators that it’s time for a start-up to make serious security investments:
Customer contracts: When topics like security audit, breach notification, and vulnerability scanning requirements are folded into contracts with your start-up customers, you’ll want a dedicated security professional who can decipher those clauses and deliver on those promises.
Spreadsheet scroll: Asset management might make sense in a spreadsheet on day one, for example, but when you have to scroll to see the full list of devices, serial numbers, and users in your organization, it’s time to find a dedicated software tool.
Engineering hires: Hiring full-time engineering staff is a good indicator that it’s time to hire a full-time security professional. The indication is that your product has reached a certain level of sophistication, and it makes sense to look for a security hire to complement that engineer’s skillset and protect their efforts.
“You need really strong controls around your data because you know what an attacker is going to go for. You know what is valuable, so why not put extra controls around it?”
When the time comes, Castaldo’s number one recommendation for start-ups investing in foundational security tools is two-factor or multi-factor authentication. Then do your research, and prioritize the strategies and tools that protect against the most common attacks and prepare your organization to respond when attacks do occur.
For later stage organizations, production environments and customer data come into play. Castaldo also mentioned that Crossbeam uses Symmetry Systems for data store detection response and described how Symmetry allows them to wrap security controls around all the company’s data stores. “You need really strong controls around your data because you know what an attacker is going to go for,” Castaldo said. “You know what is valuable, so why not put extra controls around it?”
Increasing Adoption by Making Cybersecurity More User Friendly
In closing, Castaldo discussed the problem of user experience when it comes to cybersecurity. The existence of cybersecurity awareness roles to get people on board indicates just how much work there is to do; “We have to do a lot to sell cybersecurity to people,” Castaldo said. “We’d like to get to the point where it’s as built in as crossing the street. You look left, right, left again. Or you get into your car and you put on your seatbelt.”
“We miss the point that there are humans using these things at the end of the day.”
The barrier to entry for cybersecurity remains incredibly high. That’s one of the reasons Castaldo wrote Start-Up Security, and it also anchors his vision for the future of the field. “We miss the point that there are humans using these things at the end of the day,” Castaldo said. “We’re not making it really easy on ourselves to make it palatable to the end user.” He suggested taking inspiration from product-led development, in which the idea is to make adopting a product or service as simple as possible.
The one-click future of cybersecurity may be far off, but Castaldo believes that heading in that direction will help security professionals design better controls and help drive top-line revenue for their organizations at the same time. Until that day, visibility goes a long way toward building cybersecurity awareness and helping security teams enroll their colleagues in baking in security from the get go. That’s where Symmetry Systems can help; with information flow tools that provide visibility and traceability at the data object level, Symmetry DataGuard can help your cloud-security team take an evidence-based approach to tighten IAM policies around data. Contact us today to learn more.