16 industry experts share tips for building a security-focused tech business

Many tech companies strive to adopt a “left-shifted” security mindset, that is, to focus on security as early as possible in the development process. . But how can leaders start doing this? Small steps can be a great way to start, but you need to develop a culture that consistently puts safety first. Such a culture should not only include selecting the right tools, but also working closely with your entire development team and keeping users informed of risks and best practices.

While there’s no shortage of advice on building a security-focused technology business, some things can only be learned through experience. Here, 16 members of the Forbes Technology Council share their top tips for tech leaders trying to build security into their products from the ground up.

1. Expect the unexpected

Mistakes can be costly. Have all security checks in place before launch and expect the unexpected, which can include everything from problems with reCAPTCHA during registrations to IP tracking. Suppose hackers will know how to impersonate real users to mislead automated authenticators and implement real human authenticators from the start. Yes, there are a ton of software options out there, but never pinch the cash when hiring industry experts for that extra check. – Iman Bashir, Craftly.AI

2. Hire security specialists early on

When it comes to security in product development, engage your security specialists from the start. Spend some time assessing the business risk inherent in the system to understand the level of security required. You can minimize the risk of serious vulnerabilities through consistent monitoring, testing, and enforcement of access and security controls. – Hanno Ekdahl, Idenhaus Consulting, LLC

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. Am I eligible?

3. Take incremental steps

I have two tips. First, in many cases, I’ve seen security teams bite off more than they can chew trying to solve too many things at once. I would start by taking gradual steps to reduce risk. Second, make sure security is part of the whole process, from the start, and not just acting as a pre-launch blocker. -Ben Herzberg, Satori

4. Start small and look for easy wins

Without a rudimentary understanding of how your business applications work, how data is used, how they communicate, and what underlies their architecture, any attempt to “move security to the left” is doomed to fail. failure. Start with small components and easy wins aligned with best practices, whether it’s cleaning up queries and inputs or analyzing downloaded files. -Vladi Sandler, Lightspin

5. Perform third-party developer background checks

Be sure to check the background of your third-party developers. Struggling to keep up with demand, third-party developers often quickly hire staff with questionable backgrounds. Cases have been reported in which developers with unethical backgrounds have been hired for injecting malicious code into production applications. A leader should develop a verification and integration plan that third parties should follow before committing to code development. – Spiros Liolis, Micro Focus

6. Make sure all sensitive information is in a tight security perimeter

Leveraging microservices and containers/applications in such a way that all of an organization’s sensitive information is contained within a hardened security perimeter is a great way to create a security-conscious organization. Unfortunately, many organizations do not prioritize this partitioning of sensitive information, which increases their risk of cyberattacks. -Marc Fischer, Dogtown Media LLC

7. Choose your data platform carefully

The security of your product will depend on your technology stack, so choose carefully. It really is impossible to get it right at first; selecting an extensible data platform will save you from refactoring your product to add security later. Extensible or open data platforms with dynamic plug-in ecosystems provide an easy way to add rich security features to products. – Arti Raman, Titaniam

8. Leverage frameworks that perform specific security functions

As cyberattacks on products continue to grow, with breaches leading to reputational, financial, and legal risks, technology leaders must follow security frameworks that streamline and make it more cost-effective to build products that are secure from the start. . Also implement highly trusted frameworks that perform critical and specific security functions such as secure boot, cryptography, and attestation. – Vivian Lyon, Dynamic Plaza

9. Involve developers when selecting tools

Security tools that your developers don’t like won’t keep your code secure, no matter how good they are. With security now integrated into the software development lifecycle, the developers are the users. Involve developers in the process of selecting security tools and creating security processes. -Sonali Shah, Invicti Security

10. Educate about security risks and automate detection

Technology leaders are often obsessed with the important but relatively simple and lower-risk aspects of the technology stack of security compared to the human aspects of security. The best way to mitigate the risk of human error is to educate about security risks and automate detection so errors can be caught before it’s too late. – Ethan Kellough, Highlight

11. Keep users informed, but monitor their behavior

Trust your users, but don’t trust your users’ behavior. Trusting the user means keeping them informed of issues and risks. Not trusting user behavior means that individual actions must be evaluated in the context of the security posture (eg, zero trust). – Shriram Natarajan, Sama

12. Build a system of trust with users

As far as possible, security should be transparent to the user. However, consistent patterns must be developed to build a system of trust so that if something seems out of place, users know how and where to respond appropriately. – Alexander Hill, Senseye

13. Trace the full history of your code

Track the supply chain of your code, including third-party and open source code. Code-level vulnerabilities are easily inserted using open source code provided with an “as is” clause. Also, if yours is a very popular product, consider the possibility of malicious code being injected by an insider, and put rails and guards in place to prevent this. – Vipin Jain, Pensando Systems

14. Assess your team’s strengths in security management

While it’s important to streamline security processes, it’s more important to have the right people in place to solve problems with agility. As well as building security into your products and preparing for a crisis, make sure you optimize by knowing each other’s strengths, solving problems together, and making sure measures are in place to never make the same mistake twice. – Matt Pierce, Immediate

15. Create a culture that can evolve as threats evolve

Do everything possible to avoid checklists and rote statements of security procedures and policies. Security should be a state of mind – a way of thinking – not a catechism of “must-do” and “must-not-do”. Security as a process means evolving as threats evolve. A fluid, security-aware organization has a much better chance of defending itself against bad actors than a company captive to its cybersecurity playbook. – Adam Stern, Infinitely Virtual

16. Organize safety drills

Consider simulating a series of attacks, perhaps on two fronts at once, to see how your defenses and security hold up. This is a clear case where digital can learn from real world security. – Blair Currie, Snibble Corp.

Leave a Reply

Your email address will not be published.