Over the past 10 years, the number of new businesses formed in the U.S. has grown nearly 75%. To shorten their time to market, companies building software-as-a-service (SaaS) applications use managed services through cloud providers and open-source packages. While the ease and convenience of outsourcing critical infrastructure can help speed new solutions to potential customers, the reliance on third-party vendors and accelerated development timelines introduce serious security concerns.
Hastily built products and infrastructure are often easier for cyber attackers to breach and infiltrate, which can have devastating effects on companies that aren’t equipped to protect their systems from cyber threats. As evidenced by the constant stream of news stories about the latest business to fall victim to a cyber attack, breaches and vulnerability exploitation critically impact companies today more than ever before.
If you are a technical leader at a growing SaaS company, it's critical to understand where your security efforts need to be focused. It is imperative for all companies to establish software teams with the deeply ingrained habit of building secure systems.
The new companies that survive and thrive in the next 10 years will be the ones that build security champions within their teams from day one.
How do savvy engineering leaders make building secure systems a habit for their teams? They start with people.
Your ultimate goal is to build team-wide awareness and expertise with respect to cybersecurity topics, but you'll have more success if you start with an individual or a small group. In one-on-one meetings, take the time to identify individuals on your team(s) who have a security background or interest. Software engineers love to learn, and they don't want to suffer a breach or ransomware attack on something they have built. Depending on your team's maturity and funding, you may be in a position to hire a security-focused architect. Regardless, once you've identified a champion or two within your team, it's time to move to the next step: building broader awareness.
To start, teams need to know that improving their security knowledge is a long-term and consistent investment by the business. This investment is cheaper than suffering a breach, and exhibiting mature security practices can potentially save the company money on cyber insurance policies.
A few ideas to bolster team-wide awareness:
All of the above help shift security to an earlier stage in the software development lifecycle, where the goal is to embed security best practices into engineering workflows and tools. Your product development team wants to build more secure systems, but without adding repetitive work. As you start down the cybersecurity path, if you can incorporate security checks with a few workflow enhancements, you will position your team to develop deeper security instincts in their existing workflows.
If you’re following along, that means you've identified a security champion or two. Your team is aware of the common exploits that can compromise software products. They may have even identified areas of your application architecture that are vulnerable. Their existing tools help them fix security vulnerabilities proactively.
But the landscape changes rapidly. You may patch the worst vulnerabilities today only to find out tomorrow that there's a new exploit. How do you weigh which vulnerabilities get your team's focus? How do you decide which security policy your team should incorporate next? Winning companies and technical leaders lean on the security expertise of a partner—a security-savvy managed service provider or a cybersecurity company—as their trusted advisor.
Having a security partner in your corner will let you know where to start and where to invest next. A great outcome here means you establish a long-term connection with a security expert. You're looking for a relationship, not a transaction. Your advisor will help you understand what security investments to make over the long run or how to reduce or transfer risk in other ways, such as cyber insurance.
Here are a few questions to ask potential advisors:
Great partners will be able to provide an initial assessment so you get a feel for how they work. They should follow NIST or another well-known risk framework. If certification attestation could make or break an important sales opportunity for your company, it will be helpful to know if your partner can get you started on that journey and how long that process will take.
Whether you're deep into your security journey or just starting out, it's important to review your team's knowledge and practices. Getting started is more important than getting it perfect. The stakes are higher than ever, and the most successful companies should expect to be attacked. As ominous as that sounds, the companies that commit to building security champions early will withstand the pressure.