Basketball legend Michael Jordan once said, “Talent wins games, but teamwork and intelligence win championships.” When it comes to something as important as your company’s security, you can’t afford to rely on anything less than a championship security team.
What does a championship security team mean for your organization? You may have hired the best individuals across the spectrum of IT roles, but if they aren’t working together, you’re missing out on game-changing productivity.
We pulled together a list of key players for a winning security team based on our experience in the industry. Titles almost certainly vary from one company to the next, but the focus and responsibilities of the roles are certainly familiar to IT and security professionals alike. Here’s what you need to build your winning security team:
Chief Information Officer
A majority of records within organizations are now stored electronically, meaning the Chief Information Officer (CIO) has a vested interest in the overall security strategy. The traditional role of the CIO is expanding from IT resource management, policy development, standard operating procedure development, and more. They are now accountable for more than technology management. As the number of digitally captured business functions continues to expand, the CIO is getting involved strategically in additional functions, departments, and business decisions.
CIOs must not only be involved in, but leading the cybersecurity strategy planning. They are connected to several important parts of the organization, and need to get buy-in from these teams in order to execute an effective software security plan.
Chief Information Security Officer
While the CIO works on the business management part of an organization, the Chief Information Security Officer (CISO) is critical in the age of security breaches. The CISO’s role is to monitor and analyze potential security risks, and to work closely with the CIO to increase IT risk mitigation. A good CISO must develop, deploy, and maintain an InfoSec program to protect the data an organization stores and processes.
The CISO must identify risk across the entire operation, from verifying that IT facilities are secure to educating employees on the organization’s security policies and practices and how to respond if a breach occurs. The potential penalties from regulations such as PIPEDA and GDPR are significant if data is misused and/or poorly secured. CISOs must integrate security policies and protection strategies, working closely with key players in the organization to deploy, revise, and oversee security strategy.
Cloud Operations Leader
As someone who works closely with the CIO and CISO and handles the design and implementation of cloud storage strategies, the leader of Cloud Operations efforts is a critical player on a successful security team.
Their practices need to be safe, reliable, and perfectly aligned with the overall software security plan. They need to be involved in the strategic planning and implementation of security plans because they have unique knowledge of cloud best practices—and won’t fall victim to insecure code or data breaches.
IT Security & AppSec Specialists
IT Security Specialists are critical in the implementation and management of the software security plan. These team members are the people on the line actually doing the work.
Having a variety of background and experience levels helps diversify the knowledge and approach within your security team. This diversity leads to a wider range of knowledge and better decision making when it comes to the best way to approach implementing security throughout your software development lifecycle (SDLC).
IT Security Specialists are responsible for the successful implementation and management of your security plan. They are also critical in helping to train and promote the importance of software security throughout other parts of the organization.
Every organization benefits from the internal evangelists who sit in the engineering team and promote AppSec best practices. In a rapidly accelerating software delivery environment, these internal evangelists can help your organization keep up with the evolving challenges of application security.
Don’t discard entry level tech resources as not knowing enough to be involved. Instead, tap into them as resources for internal talent development. For your experienced developers, it’s important not to make assumptions about their knowledge. Ensure that their training is up to date too, and then validate their knowledge periodically.
Finding and hiring new and experienced tech resources is expensive, so it’s important that you continue to develop your own internal teams. Push their boundaries of security knowledge and help them learn. You may even get some new takes on old processes while you’re at it.
To implement an effective software security plan rapidly, you need buy in from the rest of the business leadership team.
Your CIO and/or CISO needs to build critical relationships with other key decision makers such as the Director of Operations, the CFO, and the CEO, and explain how their software security initiative supports other critical business functions. For example, if there is a large security breach that costs the business millions, everyone experiences the repercussions.
If all of the business leaders can get on the same page and work together to build a more security-focused organization, the security team can execute their software security plan much more effectively and efficiently.
The Legal & Compliance Teams
Even though other players in the security team have the best intentions of “following the rules,” no one has rule-following down quite like the legal and compliance teams.
The CIO, CISO and other team members rely on their legal team to make sure the organization is following policy within their own business, and identifying the industry standards and regulations they must adhere to, such as GDPR, PCI-DSS, HIPAA and many more. Industry standards can change frequently, so it’s important to have dedicated resources who keep the team on point when it comes to compliance.
The security team also relies on the compliance team to ensure that record keeping and documentation policies are being followed by the entire organization.
The Business Owners (Users of the Data)
Lastly, the actual data users play a huge role in the success of a solid software security plan.
While it seems like individual users may be too far downstream to matter, these users are the people most often handling the data.
Understanding how this team needs to process the data is critical. You need to make sure there is no gap between the legal and compliance teams thinking of how data should or must be used and the reality of how it is actually getting used. Don’t leave them out. If you do, you’ll miss a critical step in building a winning security team.
Understanding Security Goals and Programs
The security team needs to make sure users are following protocol when it comes to programs, security practices, and data handling. The data users need to be trained properly on both the correct usage processes and why the security is so important in the first place. Understanding the goals and the repercussions if they make a mistake helps get data users in the game when it comes to protecting your organization.
Depending on the structure of your organization, you may have just a few or many key players associated with your winning security team. No matter the size, remember these nine critical roles when considering who needs to be part of your software security plan.
*** This is a Security Bloggers Network syndicated blog from Blog – Checkmarx authored by Kurt Risley. Read the original post at: https://www.checkmarx.com/2018/12/18/9-players-winning-security-team/