Lean Lab Recap:

This past Lean Lab, Taivara had the pleasure of hosting cybersecurity expert, Bob West to talk about how to build secure products while still practicing lean methodologies. Bob has over 30 years of experience in cybersecurity, starting as Senior Systems Officer at Citicorp, eventually becoming the first CISO at Fifth Third Bank, and is now CISO at York Risk Services with CareWorks Tech. Here are some insights Bob shared with us:

With so much pressure for companies to be agile, how do they incorporate security into their development process? Doesn’t security slow things down?

Try incorporating security measures into your sprints. Always ask your developers, “are you using good security hygiene?” If they ask “what’s that?” then you know there is work to be done.

Whose job is security? Is it QA, the CISO, etc.? How do we ensure both the technical and non-technical people in our organizations are practicing security?

One of the first things you should do before developing is to think about security. The overall architecture of any system should have security designed in from the start. If you don’t, you’re probably not going to be able to scale and will run into performance issues.

For people that don’t fully understand security, there’s a great list online called the OWASP Top 10 List. The list outlines basic security practices to keep in mind when building products that might not be obvious to everyone. It’s a good starting point for developing and testing.

However, everyone is involved in security. A chain is only as strong as its weakest link. Even people not directly involved with the product need to be aware of security issues. At one point we tasked everyone in our office building to challenge anyone not wearing their access badge. We purposefully sent executives to walk around without their badge and rewarded any employee who challenged them with $100. People generally respond to positive incentive.

If security is everyone’s job, then what exactly is the role of a CISO?

A CISO’s role is to set strategic direction on how to protect company information. They not only need to understand security, but they need to understand the direction of the business and ensure that whatever direction the company moves, the information they collect and retain is protected along the way. A CISO needs to write security policy for the organization and educate everyone on how to follow protocol. They need to make sure the company is ready for when things go wrong. They need to put the right team in place & have an incident response plan in place for when it does.

How do we convey the value of security to key stakeholders who may not be too familiar with the subject?

Tie everything back to revenue. Even if your executives don’t understand security, they do understand revenue. Going back to protecting your brand through security, to be secure is to protect your revenue stream. A lot of times executives and project managers will simply accept the risk of certain projects and de-prioritize security, but all those marginally risky issues can build up quickly and become overwhelming. Yes, security requires more effort, but if designed properly it can simplify life when the right things are in the right place.

We at Taivara would like to thank Bob for coming out and sharing his wisdom with us. If you would like to learn more about the talk, or Lean Lab in general, feel free to contact us and we’ll be happy to help.