In episode 49 of The Cyber5, we are joined by Cassio Goldschmidt. Cassio is Senior Director and Chief Information Security Officer at ServiceTitan. We discuss building a security company in late stage tech startups, including what to prioritize when starting a security program. While tech startups have a mantra of “move fast and break things,” Cassio talks about how a security program should enable business and adapt to the culture. He also discussed the pitfalls to avoid when starting a program like this. 

4 Topics Covered in this Episode:

1. Reasons a Business Starts a Security Program:

It’s critical to understand why a technology company is hiring it’s first Chief Information Security Officer. Typically it’s for one of four reasons:

1. Compliance: If a company is in a highly regulated industry, a stronger security program is mandatory.
2. Reputation: Security products, for example, need to have the reputation of safety being core to their business model. 
3. Breach: Some companies have a breach and the board mandates a stronger security program.
4. Customer Demand and Losing Business: Competitors use stronger security programs as a business differentiator and oftentimes a security program gives consumers or clients peace of mind that their data is safe.

1. First Initial Priorities of Security Program

The growth of the company is important to understand when starting a security program because security professionals need to think about the future of the company tomorrow, not today. New security programs are the “guardians” to secure initiatives, not the “gates.” Key tactical aspects of a security program are:

1. Assess Risk: Perform a risk assessment to baseline maturity as it stands today. Map out the challenges to fix items that are critical to the business with the understanding the business cannot stop for security initiatives. 
2. Listen: Engage different parts in the business (sales, marketing, engineering, etc).
3. Educate: Build a good educational program to train the workforce.

1. Common Pitfalls to Avoid for Initial Security Programs

Common pitfalls a CISO is likely to face when starting a security program include: 

1. Misconfigurations
2. Poor patch management
3. Abuse problems (spam)
4. Not centralizing spear phishing emails
5. No education towards the workforce on security
6. Credentials are used in the wild
7. Weak password policies
8. Poor onboarding/offboarding policies allowing old accounts to remain active and exposed to the internet
9. Prioritizing against problems of nation state lateral movement or zero day vulnerabilities when smaller issues can be solved first

1. Enabling Business: “Move Fast But Don’t Break Things”

For setting up security programs, security professionals should adopt the mantra of “move fast but don’t break things”. They need to implement their program and remediations, but they must keep constant availability as one of the highest priorities. Other items like red team (penetration testing), blue team (threat hunting), and threat intelligence should be out-sourced initially after the initial remediations from a risk assessment are complete. 

Security professionals should use department budget money like it is their own personal money, not the company's money. Understanding what the technologies will do for the program and having a way to show success metrics are important to justifying the spend. Dynamic application analyst tools are important for technology companies as these ideally protect the main business technology applications.