How to get started with Cybersecurity
- Sergio Visinoni from Sudo Make Me a CTO <makemeacto@substack.com>
- Hidden Recipient <hidden@emailshot.io>
Hi, 👋 Sergio here! Welcome to another free post from the Sudo Make Me a CTO newsletter. If you prefer to read this post online, just click the article title. As this is a free newsletter, I do immensely appreciate likes, shares and comments. That's what helps other readers discover it! How to get started with CybersecurityAs Engineering Leaders we're often in charge for establishing a culture of cybersecurity from the ground up. We'll explore some ways you can get started and how to think about the next steps.
With the members of my Group Mentoring and Coaching community¹, I recently conducted a deep dive into the topic of security, or rather cybersecurity (In the article, I'll use those two terms interchangeably). The conversation turned out to be very interesting for a few reasons. On the one hand, there is a lot of interest and demand for support in this area that many leaders, especially first-time CTOs, struggle with. And secondly, we had a special guest in the session, someone with a wealth of experience in the cybersecurity space who is also a good friend and a former colleague. In today's article, I'm going to share my reflections after the session and how they helped me frame the topic in a way that brought clarity to my thinking. Let's start by exploring something fascinating about human psychology: recency bias. Recency Bias and CybersecurityAccording to Wikipedia², Recency Bias can be defined as follows:
We can observe recency bias constantly in how people think and behave: from people's tendency to change their minds based on the last person they spoke to to the reactive tendency to subscribe to anti-theft insurance or anti-burglar alarms once people have been victims of a robbery. Unfortunately, recency bias often plays a key role in another area: cybersecurity incidents, especially those involving data breaches. In a recent study, IBM found this to be true to a surprising level:
Two-thirds is a lot! And it does make sense. Such incidents are both painful and effective drivers for building awareness about a company's level of vulnerability and the real — not only potential — consequences of such an exposure. How to use Recency Bias to your advantageLet's assume you're dealing with a situation similar to the following common scenario. You are in charge of your company's engineering team, a role that sometimes implicitly includes responsibility for cybersecurity. Your company has never faced any severe security incidents. Or maybe it has, but they have gone undetected. A general illusion of security stems from the anecdotal absence of incidents in the company history, a typical case of mistaking correlation for causality. We must assume we're safe because we haven't had any incidents. The entire organization is so busy shipping out features to gain market share that whenever you try to bring up the topic of cybersecurity, you're welcomed with annoyed looks and comments about this not being a priority because we're behind on the target for this quarter or other similar reasons. If you're a bit luckier, your executive team generally feels we should do something in cybersecurity without knowing what exactly and to what extent. People expect you to magically determine the precise amount of investment the company should make in it. You might feel like you don't know how to get started in such a situation. This is where exploiting — pun intended — recency bias can be an excellent way to kickstart the process. There are three ways you can do that.
All these actions are inherently tactical, but you want to use them strategically. They will be the stepstone for building the required security and risk awareness in your executive team. Without that support, you'll be left waiting for the next major incident to strike your business before you can make any significant progress. Once you've successfully established these foundations, you can start thinking more holistically about the whole topic. There isn't a specific set of next steps you should take, as we're not going through a Hello Word tutorial here. Instead, you'll be evaluating different variables and factors to decide where to go next. Next steps beyond cybersecurity awarenessLet's assume you've successfully established a solid foundation of cybersecurity awareness in your organization. You regularly perform pen tests and security audits, and you have an internal process for balancing the findings. Where do you go from there? The answer, as it's often the case, is it depends. There are a few factors you might want to consider to help you decide on the next move, and they include the following: Company size and maturityIf your company is still in its early stages, burning through cash while trying to find product-market fit or sustainable growth, you might be OK keeping your security investments mostly at a reactive level. There is little at stake, and the deployment of defenses should be commensurate with that. Keeping your focus on vulnerability detection and remediation regularly and a solid incident management process could be all you need at this stage. Like everything else in tech, there is such a thing as overinvesting in cybersecurity, and you want to avoid that as much as you want to prevent underinvesting. Suppose your company is at a later stage, the ambiguous one commonly labeled as scale-up. In that case, you might consider a shift left on security, going from reactivity and post-facto mitigations to prevention. This is when you might consider hiring a Head of Security, CISO, or similar figure to help you shape a holistic cybersecurity strategy and agenda. Finally, suppose your company is generating steady profits and has a solid market position. In that case, you will likely have recurring interactions with the board of directors on cybersecurity. You will set overall company targets for reducing the cybersecurity risk considerably going forward. You'll want a Head of Security/CISO to be in place and one or more security teams focusing on enabling the organization to go through different steps of the software development lifecycle, IT governance, and compliance with regulations. Industry contextSome companies operate in highly regulated markets depending on a combination of their industry segment and the geographical locations where they offer their services. GDPR is just the example most of us are familiar with. Still, plenty of regulations go beyond the privacy space and touch on the broader meaning of responsibility required for a company to operate in specific sectors, finance, and healthcare being the most obvious ones. Keeping an eye on what is going on in some of these sectors is beneficial even if your company does not operate in them, as regulations tend to gradually expand to cover people's rights to see their personal data protected across all industries. Operating in specific sectors will also require you to obtain security-related certifications such as SOC2, especially when offering services to B2B clients. That will apply even if your company is relatively small. Other factors will also influence the decision to invest how much and where. These include the cybersecurity skills and competence of your team, the composition of your board of directors, and/or the profile of new investors putting money into your company. Even your ability to keep up with the pace of new vulnerabilities discovered in your stack and the tension generated by the need to deliver software improvements is a signal that should inform your decision. The bottom line is that you'll build your overall security strategy in increments, and during the early phases, this will be much more bottom-up than top-down. Your ability to build a comprehensive cybersecurity agenda is a function of your ability to raise awareness and clarify the level of risk your company is comfortable facing in the early stages and how much you can evolve that sentiment as the company grows. That responsibility lies with the person in charge of the engineering team. It is one of the many areas where your ability to communicate and influence will be equally, if not more valuable than your hard skills in the domain. If you found this valuableIf you found this valuable, here are other ways I can help you and your company:
1 In case you don't know what I'm talking about, this is a product I recently launched. I published the announcement a couple of months ago in another article. Signup is closed now, and I plan to open up more seats sometime in November. If you want to be notified when that happens, you can join the waitlist here. 3 Source article https://www.cybersecuritydive.com/news/data-breach-recovery-investments/728825/#:~:text=Data, which links to the full IBM study Sudo Make Me a CTO is a free newsletter edited by Sergio Visinoni. If you found this post insightful, please share it with your network using the link below. If you or your company need help with one of the topics I talk about in my newsletter, feel free to visit my website where you can schedule a free 30 minutes discovery call. I'd be delighted to investigate opportunities for collaboration! |