On December 14, Chris Gervais, Threat Stack’s VP of Engineering, was joined by Sabino Marquez, the CISO of Allocadia for our latest webinar: Lean Security: Your Guide to SecOps Efficiency in the Cloud. We’ve written before about lean security and the importance of aligning people, processes, and technology to create a successful security organization. In this webinar, we learned first-hand how Allocadia does it with Threat Stack.
You can view the entire webinar here, or read a recap of the key points that Chris and Sabino covered.
Allocadia + Threat Stack
Allocadia is a marketing performance management platform that used a small team to build out their security objectives. To achieve their goals, they realized they needed better tools to give them full visibility into their cloud environment without requiring cumbersome and time-consuming manual analysis — and this is why they chose Threat Stack. Threat Stack’s intrusion detection platform enables Allocadia to meet their contractual, statutory, insurance, and compliance commitments, while addressing ongoing security issues in a timely manner.
Citing the example of companies that bring on security tools but are then overwhelmed by the data output, Marquez explained that bringing on Threat Stack actually had the opposite effect. It supported a cultural shift that helped the company become more accountable for security and taught employees to be more aware of how their actions relate to potential threats.
Going Lean: Your Company is Your Security Team
Unfortunately, security is often considered a burden rather than an enabler for businesses. Lean Security principles recognize that time, resources, and budgets are finite, so they help you align and integrate the resources you do have to streamline processes, remove roadblocks, and eliminate inefficiencies in your security operations.
While discussing best practices for “going lean”, Gervais and Marquez also explored some common pitfalls. The main shortcoming they discussed centers on the fact that many security leaders don’t focus enough on democratizing security and leveraging everyone in their company.
Since there’s a global shortage of cybersecurity talent, every company — especially smaller ones — need to do more with less. But contrary to organizations that try to remedy this by going out and hiring anyway or try putting off implementing security measures, Marquez states that “You do have enough people. It’s called ‘your company.’ Your company is your security team. Lean is redefining who does what.”
By distributing security functions throughout your company, everyone becomes responsible, and this can go a long way towards boosting your security posture. You can do this by implementing a company-wide security awareness program and by offering specific training courses for your employees to qualify them to become security champions. You can also strengthen security by reviewing roles and responsibilities as they pertain to your security operations. When you are defining (or redefining) roles, be sure to look at security as an integrated, cross-discipline role instead of a siloed function. Finally, clarify your processes for communication around security goals, including owners, stakeholders, and anyone else that needs to be informed so they can carry out their job more effectively.
People and Processes: Shared KPIs
Throughout the webinar, Marquez advocated for empowering everyone at the company with ownership and communication around security. How can companies do that? Marquez recommended shared KPIs.
At Allocadia, one of the shared KPIs for their team is Time to Own Events. Employees receive alerts via a Slack channel and have an obligation to respond within a specified period of time. If no one responds, the alert is escalated until action is taken. With individual and collective responsibility in place, everyone works together to ensure that alerts are acted on quickly.
This approach helped Allocadia bake security into its culture and made everyone responsible when it came to security. Allocadia also involved employees through its daily stand-up anomaly reviews.
Thinking Lean: Tools and Methodology
Another area where companies can “go lean” is in the way they select security tools. Too often, the tool comes before the business strategy, and with so much technology available these days, it’s almost too easy to just buy another solution. This is why companies often experience “tool fatigue.”
Fortunately, Allocadia took a more strategic approach when implementing Threat Stack. Marquez said they took the time as a company to model their stack for three to four months to prepare for Threat Stack. This ensured that when they brought the tool on, they had all the right alerts set up and had taken each function of their business into account.
When it comes to buying security solutions, we recommend adopting the smallest number of tools that will support your security objectives. Ensure that the tools support your security goals and processes, complement your team, and streamline your operations. We suggest a three-phased method:
- Phase 1: Selection and Purchase: Be sure you have a strategy that considers your security objectives, the kind of data you need to monitor, events you want to see, and risks that are relevant to your company. Allocadia’s process is a perfect example of how companies should go about this.
- Phase 2: Operations and Management: After the tool is deployed, regularly measure performance by using KPIs as targets, and continue to optimize your operations.
- Phase 3: Maintenance and Upgrades: Stay on top of patches and upgrades as they are released to ensure that you are getting the most value from the solution and that it’s not inadvertently creating vulnerabilities.
Final Words . . .
At the end of the day, security processes are business processes. The improvements you make to your security operations will ultimately make your business stronger. For small and mid-sized businesses, the key is to get the most out of limited resources by collaborating across functions and empowering everyone at the organization to take ownership of security. Allocadia’s team approach that integrates security into all operational areas and automates through the use of Threat Stack, is an excellent demonstration of how an organization can create a strong security stance by applying lean security practices to its people, processes, and technologies.
If you’d like to learn more about lean security principles and how you can adapt them to your organization, please download a copy of our latest eBook: Lean Cloud Security: Your guide to SecOps Efficiency in the Cloud.
Lean Cloud Security
Learn how you can make the most of your people, processes, and technology.