In our first security roundtable event, we were joined by Security, Cloud & Platform Leaders for a practical discussion around the biggest challenges they're facing right now, all based on valuable discussions we've been having with our network. We packed a lot into 1.5 hours, digging into the delicate balance between scaling and keeping agile whilst handling tech debt and legacy systems, and the right approach to automation. Plus, how to cultivate a security culture among teams and shift mindset, and the impact of AI on the industry. We've dived into some of the key takeaways from the session below:
1. Fostering a Strong Security Culture Across Your Business
The security of your business depends on every member, from HR to marketing to the newest graduate. Building a robust security culture is vital to create an environment where people feel comfortable reporting issues and vulnerabilities. Embracing a "safety to fail" mindset and encouraging open security reporting can help identify and fix problems early on, preventing them from becoming major issues.
From Unicorning your team mates (when unicorn gifs are sent through unlocked laptops🦄), to discussing fake phishing messages, education plays a significant role. Keep in mind that the approach to fostering a security culture may differ across global businesses due to cultural variations, so it's not a one-size-fits-all solution.
2. Understanding the Cost and Impact of Security Breaches
The impact of a data breach will differ depending on the industry or sector the business is in. In financial services, heavily regulated or SaaS businesses that are handling huge amounts of personal data, a major security breach can be an extinction event due to reputational damage, which is really important for teams to understand and get them to adopt the seriousness of security.
In start-ups, putting a price on risk and ownership can drive home the importance of working securely. Whereas for purpose-led companies, considering the impact on customers and users can be a strong motivation. In any case, how you handle a data breach and your response to it can make or break your reputation.
3. Effective Collaboration Between Product, Security & Engineering Teams
To achieve security goals, collaboration between engineering and product teams is vital. Aligning priorities in the backlog can ensure that security focus is integrated into the workflow. Finding a balance between speed and priorities is an ongoing challenge, but clearly defining the company's "why" and "what good looks like" will help guide the team and establish metrics and expectations.
The right organisational structure depends on your business's size and structure. For some companies, having a CPTO (Chief Product & Technology Officer) can work brilliantly, as they have the mindspace to make calls on different tradeoffs. But as a business scales, a different approach may be needed as it can become too big a problem for people to think about.
4. The Role of Security Champions and Communication in Enhancing Security
Having security champions within teams is a valuable approach for enhancing security efforts from the bottom-up. These champions act as central points for reporting issues and suggestions, creating a culture of learning and collaboration. The key to their success requires an investment of time and resources, and establishing a direct route for communication ensures effective information flow throughout the business. A dedicated Slack group connecting the security team and champions is a great way to streamline the process and prevent it become a siloed group.
5. The Impact of AI/ML on Security: Benefits and Risks
Arguably the biggest topic in tech at the moment inevitably popped up during the discussion. On the one hand, AI opens up multiple benefits like automating mundane tasks and helping Developers work more efficiently e.g. Google Chronicle allows developers to inspect code for potential vulnerabilities and highlights areas which may need attention. But there was a definite consensus across the group that non-technical colleagues need to be educated on the potential risks AI models represent. There are a lot of grey areas around where all the data generated really goes, and who will eventually have access to it, so it's still not clear what the full implications of inputting sensitive information into a tool like Chat GPT could be. It's important that everyone is aware of the reality that using any old AI model without authorisation can lead to data breaches.
In a nutshell 🥜:
Addressing security challenges in a business of any size requires a combination of technical expertise, a clear sense of ownership, and a robust security culture. Embracing automation and AI/ML can offer significant benefits, but it also requires proactive measures to educate and control the use of this relatively new tech. By fostering a collaborative and security-conscious environment, you can maximise efficiency, mitigate risks, and ensure a safer digital ecosystem.
A huge thank you to Phil Knight, Greg S., Matthew Copperwaite, Maurizio Abba, David Coles, Rob Johnson, Will Ferguson and to Cary Vidal, CISSP for moderating and keeping the discussion lively and engaging.
We'll be looking to host another after summer, so if it's something you'd be interested in hearing more about or joining for the next one, please reach out to our Head of Platform Engineering, Infrastructure and Cyber Security tomd@burnssheehan.co.uk
