David Abramson, Chief Technology Officer at Qrvey, hosts a podcast, “Building Better SaaS.” Our latest episode featured Ali Allage, CEO of BlueSteel Cybersecurity, Developer of humanized cybersecurity compliance programs that create sustainable security and confidence for SaaS-based organizations and government agencies.
You can listen to the podcast here and we’ve covered some highlights of their discussion below.
What must a SaaS company do to prepare their personnel & processes to meet security goals?
“There are a lot of people in our space focused on the technical and they’ll tell you all the controls that you need in place, but I’m going to start with the more simple things. The challenge when you go in through compliance is that you have to be aware of all the variables, assets, people, and processes. A lot of times when we work with organizations, none of that’s documented. They don’t have a clue in terms of what their DevOps process really looks like. The lead developer pushes code and there’s no real process to figure out whether or not the code they’re creating is secure. We’ve even seen this in startups as well as established firms. Document your process.”
What are basic steps to get started with?
“We like visual. So, we humanize this stuff. We try to keep it on human terms and visually document:
- What does the DevOps process look like?
- What does the food chain look like?
- Who’s involved in it?
- How are they creating it?
- Where does it all live?
- How does it get to the end, to the finish line?
“You start with that. It becomes really easy for compliance to then come in and be aware of this process and get started. Determine the controls you need to comply with and start dissecting what you have.
“You don’t want to disrupt that workflow. You want to make sure you enhance the workflow and embed security operations into that. And then, fundamentally, if you understand where everything is and who’s involved, the controls really come down to:
- Have you done background checks on the individuals?
- Are the devices they’re working on monitored or locked down?
- How do you make sure that whatever gets pushed is secure?
“Those are really the basics. Those are the easiest things I could tell anyone to do today. And then, I’ll be honest, it’s a pain. It’s not something that everyone is excited to do. But if you are a process nerd like we are, go and do it. Start visualizing and mapping it out.
“We’re trying to humanize cyber security. Funny enough, I named the company after Zoolander. Cyber is serious business, but we want to take a humanistic approach to it.”
When should a growing company invest in dedicated security personnel?
“I think most people expect me to say biasedly that yeah, you should reach out to a consulting firm. But realistically, if you’re a startup, you’re trying to save costs. Why not get the smartest engineer on the team, the one that’s the most interested in security to start understanding the basics of DevSecOps. It’s honestly not rocket science. It just takes someone to put those items into place to understand it, and that can happen in day one.
“If you’re ambitious to want to understand security, the learning curve is not that steep. Especially if you’re a well accomplished engineer. So, start with that.”
When should you call for help?
“When you’re trying to adapt policies and procedures and enhance what you don’t understand of compliance. Some compliance measures are really black and white, like NIST controls, but there’s a lot of them, 1,000 requirements in some cases. So, it’s a lot of work to do. It doesn’t necessarily make sense to devote time to it if you can outsource it.
“The second thing is interpretation of the ones that are not necessarily so black and white.
- What is this control really asking for?
- What policies and procedures do we need to have in place to make it real?
- Then how do we marry that to the technical pieces?
- How do we show evidence that we’re in compliance with that?
I think that’s when you start looking at third- party organizations.
“The final stage is, when do you bring it in house? In house to me means that your security operations are better suited to have internal control. That’s the most expensive approach, honestly. And the question is, is the cost worth the internal control or is it still safer to have a third party that really is up to date? One is not better than the other. So, it’s really up to the characteristic of the organization as to what makes sense for them.”