Originally published in Information Management.
To build a strong security program, you need a strong security team. Pritesh Parekh, VP and CSO of Zuora, winner of the 2016 SC award for Best Security Team, outlines how to structure, hire, and manage a high-performing IT security team that will protect your company’s assets and information, reassure customers and prospects, and inspire confidence throughout your organization.
Building your IT security program is an ongoing, continuous improvement cycle that requires a unified team. The goal is to keep improving, keep up with current risks, and be adaptable. With the right team in place, you can build organizational confidence and, most importantly, protect your company. Here’s how:
Step 1: Map out your IT security program
Once you have figured out how much to invest in your security program – based on your legal, regulatory, and industry compliance requirements and exposure to business risks – you can start to build your security strategy. Most importantly, your strategy needs to align with your business goals. You also want to be sure to design a defense-in-depth approach whereby you have multiple layers of security.
Your program won’t be built in a day so your strategy should be around a phased approach. Start with a small set of security controls to address business risk and construct a baseline upon which you can build.
Step 2: Identify key functional areas of your security program
To lay the foundational structure for your IT security program, start by identifying the key functional areas. In our case, there were five key functional areas necessary to support a well-rounded program:
- Infrastructure Security – This is the area responsible for the security, integrity and confidentiality of all of our customer information.
- Product Security – This secures our product/services and also is responsible for integrating security into our software development life cycle process (SDLC), empowering engineers, architects and product managers with security tools and training so that they can make security decisions.
- Compliance, Privacy and Risk Management – This function has oversight for all of our regulatory and industry requirements such as PCI, SOC1/2, HIPAA, ISO 27001, and other certification/ attestations.
- Internal IT and Business Applications – This area oversees security of endpoints, physical security, business systems, and applications. It also has the responsibility of security awareness for the entire organization.
- Field Security – This is the most outward-facing functional area, responsible for working with prospects, customers, sales, and our legal team as part of the sales cycle to close security issues for enterprise customer deals and provide feedback from our Customers and Prospects.
These five functional areas then become the pillars of your IT security program.
Step 3: Hire your security team
With these pillars in place, it’s time to hire leaders to run each pillar. We looked for leaders with complementary backgrounds – e.g. a leader in infrastructure with an operations background – to take on the head roles for each of these functional areas. Obviously, domain knowledge is an important job requirement as is passion for security as a whole.
But equally important are candidates with the right mindset to fit your culture, in our case: collaborative, transparent, open, and, unquestionably, trustworthy. We also looked for strong leadership skills because when you’re running cross-functional projects and working with virtual team members, leadership is essential. The right leader can make essential decisions, take responsibility, and eventually build out their own teams.
Once we had strong leaders heading up each security project area, scaling was not hard. Team leaders have the authority to build out their own teams, as necessary, as dictated by our ongoing risk assessment. Each leader has quarterly goals, with clear measurement criteria and feedback loop from stakeholders. Leaders take full accountability, continuously raise the bar, and emphasize excellence for their teams.
Step 4: Build your IT security roadmap
Often with a large security program, you have dedicated program management functions to support projects. We don’t have that. On our team, everyone – even technical team members – is responsible for their own program management, from end-to-end.
To keep track of all our projects, we created a security roadmap that serves as our “everything resource.” This dashboard provides almost real-time insight into all our security projects, by area, including the relevant team members, top risk, resource allocation, and overall investment. Literally everything is on our security roadmap, down to the vacation schedules of every security team member. This adds structure and clarity to our work – we can execute at the highest level of efficiency when everyone is able to measure the success of their projects in real time. This operational efficiency means that we can all just focus on the main question of “How can we achieve on our goals?”
Step 5: Partner with the entire organization to define strategy and execute
All functions across Zuora – including engineering, tech ops, sales and marketing, legal, product, finance, HR – integrate with security on a routine basis. This means that our IT security team isn’t operating in a vacuum; we look to the entire organization to help us identify risks, set priorities, and define our overall security mission and strategy. We look outside of security for risk assessments which then map back to our overall security investment. All the projects on our IT security roadmap come out of these risk assessments.
This leads to a technology aspect 360 degree view: we aren’t just covering everything from a security perspective, but gaining stronger coverage by focusing on all different disciplines and processes across the organization. Potential attackers know that a security team has the production side covered, so they’ll look for gaps in other areas. With 360 degree coverage, you’re better protected. Plus collaborating cross-functionally helps you earn buy-in and adoption across your organization.
Also key to organizational buy-in is involvement of the executive team. We’ve developed a Security Oversight Committee to manage and address our top risks, and understand their business impact. This team, which includes members of the executive team, meets as needed to provide transparency into our security risks, and what exactly we are doing – as well as what our competitors are doing.
We’ve created a scale against which we measure ourselves:
- Baseline – the small set of security controls you initially put into place
- Scale – once the baseline is set, you can build out your program in a controlled fashion
- Mature – the defined set of controls for what a mature security program looks like for your company – and how you’re going to get there
- Leader – Understanding industry best practices and looking to other companies who successfully set a high bar with their security programs
You need to continuously measure and monitor your security controls, so we continually evaluate ourselves against this scale to get a reading on where we are and what kind of investment we need to make to achieve leadership.
Are you keeping your cloud secure? Check out Keeping Your Cloud Secure – A CIO’s Favorite Topic for a comprehensive guide to cloud security.