SBN

Being a CSO in a Security Start-up

We all work in companies that have customers. As CSOs, we have to protect the business and reduce risk, however in a series B startup that makes security-based products and services, I know my role is different. If I worked in a company that was making gaming software, the expectations of my role wouldn’t be the same; there would be less of an expectation to support the sales cycle, for example.

There’s an expectation as a CSO in a security company that I lean on my network, connections, friendships, and anything else to help raise awareness of our company and products within the CSO/CISO community, ideally resulting in them drinking our Kool-Aid and buying our great products. If my company hosts a community event, I try to be sensible about how and where I share that information. It’s a fine line between peddling our wares or helping the community.

Top 6 observations

Here are some of the key areas where I have observed differences between being the CSO of Banyan Security compared to my prior security roles. The variance is in part due to what we sell here at Banyan, and also being a new company that is 100% focused on being in the cloud.

  1. Helping drive strategy: As practitioners, I’ve deployed, operated, and led strategies in large, global organizations. I understand the realities of being in IT and security, deploying technologies to thousands of users (over 150,000) or to millions of customers (over 20 million). The result of this experience is that my team and I are uniquely placed within Banyan to provide guidance and feedback on not just our strategy, but the desired user experience for both our end users and administrators. We take great pride in our participating, being able to research and recommend things like integrations or providing feedback on features. These activities are often way more fun than some of our daily grind.
  2. Ensuring application security: Secure/Systems/Software Development Life Cycle (SDLC), I added all of the S’s and a few links below that dig into these. I also provided links related to DevOps and DevSecOps, with the latter always being debated on what it means ─ with a common statement being, “Aren’t we doing Security by Design?” In short, there are processes and methodologies that help ensure consistencies as well as checks and balances.

Here are some helpful links:

  1. Identifying vulnerabilities, scanning, penetration testing and all that stuff: It goes without saying that our objective is to build amazing security-based products; with an emphasis on the security part. So, it’s important that we continually educate our engineering team on security best practices. We have a robust program with layers of testing, as well as the ability to support external testing. Being transparent and open to scrutiny enables any company to improve. During my first twelve months at Banyan, we’ve supported customer penetration tests, conducted our own internal tests, commissioned third-party tests, as well as engaged with external researchers paying them for vulnerabilities they’ve reported (luckily, the vulnerabilities only related to a marketing website).
  2. Building security questionnaires: Any CSO whose company sells to enterprises will know the love that is a security questionnaire. Oh, and the number of vendors selling their “magic dust” products and services that will automatically answer them. The best thing here is to figure out how to enable your sales organization to handle these, building a decent database of ever-growing questions and answers.
  3. Conducting customer audits and penetration tests: Again, it’s important for all enterprises to have confidence in their suppliers. Being a third party, we can ideally avoid these, as they cost money and you may be able to satisfy them in another way. Sharing your SOC 2, ISO, or other findings as well as
    third-party penetration tests often work.
  4. Protecting the crown jewels: Yes, we all have to figure out what those are and how to protect them. One thing I learned in the last 12 months at Banyan was how being a 100% cloud company was so invigorating. Everything we do to run our business as well as our products and services is cloud-based: not a single data center in sight, just one office with a guest network. Oh, and we use our own products to ensure access is tightly controlled and tied to device posture [insert sales pitch here I guess] 😉

 

Anyway, I’ve learned a lot in my last 12 months working as a CSO. While many of the responsibilities aren’t new, the level of required depth and rigor has been somewhat eye-opening. Hopefully, the above observations might help you in your endeavors. Cheers!

Note: If you’ve like to read the longer version of my CSO journey over the past year, it’s available here on LinkedIn.

The post Being a CSO in a Security Start-up first appeared on Banyan Security.

*** This is a Security Bloggers Network syndicated blog from Banyan Security authored by Den Jones. Read the original post at: https://www.banyansecurity.io/blog/being-a-cso-in-a-security-start-up/