Three steps to set up a security program in software organizations

The need for cyber security continue to grow, and it is not limited to large organizations such as banks or government agencies. Business owners are increasingly aware of the need for setting up a cyber security program. In this article, I will illustrate the process for setting up a cyber security program in three simplified steps.

1. Set up a security governance strategy

Security issues in software organization are broad and complex. Large organizations usually opt for a full time in-house Chief Information Security Officer (CISO), while Small and Medium Businesses (SMBs) can hire a part time vCISO (Also known as: CISO-as-a-Service). Either way, the first task of a CISO is to perform a risk assessment, and identify potential gaps (See: Top 10 Cyber threats in 2022), and come up with a set of specific security goals, with associated scope, such as:

• Set up a SOC, CSIRT, and/or CERT [1] for cloud and/or on-premises infrastructure.
• Set up an offensive security capability to perform penetration tests on the organization's infrastructure and/or deliverable products.
• Set up a team of security auditors / analysts, to help assess the capabilities of your suppliers, or for compliance purpose.

Depending on the amount and frequency of the services needed and allocated budget, the CISO can advise you to delegate this responsibility entirely or partially to an external providers, known as MSSP. This also depend on the context of your organization, the market in which you are operating, and your risk appetite.

In case you opt for building certain capabilities in-house, you need to draw up a roadmap with gradual and measurable objectives, within an estimated time frame. The next step is to come up with specific skill set for the new roles, or set of requirements for the services that need to be fulfilled using licensed tools, or the external service provider.

As you proceed with the execution of the roadmap, you should continuously keep an eye on different risks. By the nature of cyber security industry, it is almost inevitable that you encounter unforeseen circumstance, which might force you to adjust your priorities, or even update the roadmap altogether, and come up with additional or alternative goals.

2. Promote security culture and raise awareness

No matter how good your security program is, humans are often considered the weakest factor. Providing role-based mandatory and optional training is necessary to ensure your staff always makes the right decisions to safe-guard your organization's assets. Besides, new joiners should also receive the right materials as part of the on-boarding process.

Your staff do not need to be aware of every single company procedure, but simply need to know these exist, and how to find them when needed. Certain organizations have established a security champions program [2], where few individuals across the organization take partial ownership of security matters within their team and help with the adoption of security best practices. You can also empower your security champions by suggesting certain security training or cover the fees for attending security conferences or CTF events, or even organize in house event where you invite internal or external speaker, to inspire your staff around certain topic.

Besides, it is useful for your engineering teams to follow the security news, and get familiar with the attacker mindset. Many government agencies provide a brief update about most recent development in cybersecurity landscape. The following list is not exhaustive:

• https://www.cisa.gov
• https://www.enisa.europa.eu
• https://www.ncsc.gov.uk
• https://english.ncsc.nl
• https://www.csa.gov.sg

You don't need to read every new article. Just make sure you keep an eye on what's happening in the threat landscape and new attack techniques, so you can act fast and stay one step ahead of the adversaries. If you have good tooling, these should already help you identify potential threats that are specifically applicable to your products or services. More on this in the next section.

3. Automate & Integrate security process within your teams workflow

Before making any decision to acquire license for new security tool, it is important to take the perspective of different teams. Many organizations have established DevOps teams and adopted ways of working based on the scrum methodology, and Continuous Integration / Continuous Delivery (CI/CD) process. Members of DevOps teams have different focus compared to security team. Developers often focus on picking up issues which are already triaged and refined, and set to be delivered within a specific timeline. Operations team mainly focus on respecting the SLA while deploying the most recent version of your application as quickly and efficiently as possible, monitoring the status of the entire infrastructure, and performing regular maintenance tasks with minimum downtime. Both Dev and Ops teams are constantly under pressure to deliver more value to the external customer, and usually prefer to avoid any request that might disrupt their process and plans.

On the other hand, the main focus of security teams is to identify potential threat scenarios, analyze and remediate as many of these threat scenarios as possible. Despite the great progress and improvement in security tooling landscape, most tools still suffer from a number of limitations, including:

• Need for different capabilities: Some tools might provide multiple scanning capabilities, such as SAST, and SCA. Some tools might support only a subset of your tech stack, or provide less reliable results for certain coding languages. Thus, you might need to combine different tools, in order to get the best outcome out of each.
• False positives: No matter how good and smart the tool is, some of the identified CWE or CVE might correspond to non-exploitable findings. You might be able to suppress the finding from the current scan result, but it's good to find ways to help the tool learn and adapt with your products, resulting in fewer false positive in future scans.
• Visibility and ease of integration: Many tools offer their own dashboard or generate stand alone reports. This means, you might need to manually follow up with the right team to request or prioritize a particular fix, which is not scalable. Some tools allow you to raise an issue or even suggest a "pull request" to the right team or repository directly within the same tool, which is a great benefit.

Considering the observations above, it is important to align between all relevant parties within the organization before procuring a new security tool, in order to strike the right balance between detection capability, scalability, ease of use/integration within the current setup.

It is also good to continuously measure both the positive and negative impact of each tool, to help make the decision to renew the license prior to expiry, or eventually explore other tools. Besides the numbers, it is also advised to collect (optionally anonymous) feedback about current workflow from all stockholders within the organization, and review certain decisions if needed.