Continuous Security at DV
Without scalable processes and constant learning, even the best-equipped security operations fail. Here’s how we’ve built a security-first culture at BCG Digital Ventures.
By Astera Schneeweiz, Global Director of Information Security and Compliance, BCG Digital Ventures
Before I joined BCGDV, I spoke about how to build security teams. In fact, a lot of the time I was talking about why security should be thought of as a practice rather than a team.
But after I started working at DV, I had to change my focus: How do we build a team or practice to work with dozens of different ventures, ensuring security for each one, without feeling like an external consultancy? After all, DV is different from most security operations, as we have to secure multiple ventures, each with different software and teams.
There were also other questions. These included: What should our role as security professionals be in the organization? How does security play a part in shaping the culture of DV on a global scale? What’s the motivation for the team itself? In this post, I’ll focus on our work with ventures, which makes up 50% of our work.
What makes DV a unique security challenge
Before I answer these questions, I want to take a step back and give you a quick overview of what makes security at a venture-builder like DV so different from what’s required at other companies:
- Every venture we build starts off with different staffing, made up of a mixture of DVers, freelancers, contractors and team members embedded from our the corporate partner.
- The turnaround time on each venture needs to be quick, as we have a set time until the completion date. Therefore, long-term investments on each venture team are hard to justify.
- Each venture is backed by a big corporate partner. This sets them apart from conventional start-ups — the stakes are higher. With data breaches occurring on an ever-greater scale, our clients need to take data security seriously. They are trusting us with their reputations, and we need to uphold this trust.
- There are are strict security requirements that must be met, and we work in an ever-growing number of locations worldwide. Additionally, we frequently work in new industries, each of which has its own demands and compliance obligations.
To summarize: Everything is always a little different. The only constant thing is that it’s always fast-paced.
So, how do we build security given these circumstances?
A continuous program for reducing risk
Over the past years, DV has done, and continues to do, an amazing job in defining the methodologies by which we build new ventures. And what better model to learn from than our own information security process?
This is the principle behind our Continuous Risk Reduction (CR2) program.
What lies behind this fancy title is a well-defined curriculum, which trains every one of our venture teams in data protection, security concepts, secure engineering and architecture design, and compliance topics, at the exact time they need it.
To support the learning process, we have developed two areas of documentation. A Venture Security Checklist is issued to each venture, ensuring that, at every phase, the security and compliance requirements are fulfilled. We include a wealth of examples, each of which can be adapted depending on the language and frameworks used and the venture size. We also provide the documentation that the venture will continue to use and keep after we at DV have finished our work on it and prepared it for a life of its own. Included here are are security policies and templates for data classification.
Throughout the Continuous Risk Reduction process, venture teams learn how to use code analysis tools and scanning services to immediately get feedback on the services and systems they produce, long before the first penetration tests (also a part of CR2) are run. Overall, our process compares favorably to that of a large, established company with a full-blown security team, while still able to support a nimble and fast-moving venture team of just a few people.
The goal of the training sessions and documentation is ultimately to empower our venture teams not only to know how to use a specific security product or achieve a compliance goal, but to have learnt how to make risk assessments and manage their security posture in a lightweight manner. This is something we can all be truly proud of.
To make the process as easily understood and straightforward as possible, there is one metric we track and compare across all ventures: Key Risk Indicator (KRI). This metric is a combination of a venture’s security posture as indicated by the Venture Security Checklist, their risk assessment and treatment process, and outcomes from interactions with our team at each stage of the CR2 program such as architecture review and penetration test results. There is little more rewarding than being able to put a number on and visualize how we’re helping our ventures be safe and successful.
Our key advantage
Let me share one amazing, outstanding, and immensely motivating bonus with you, one which I’ve enjoyed and benefited from while working here.
Earlier, I mentioned that everything is always different, with ventures constantly updating their methodology, product and processes.
This means that, unlike single companies and institutions, we as an information security team can quickly iterate on our processes and see immediate and invaluable impact. With each venture starting with a blank slate, we are given the chance to reevaluate and update our security processes and infrastructure each time and ensure we’re up to speed on the latest state-of-the-art technology and security concepts.
As we support one venture to the next, we receive feedback, learn and optimize — and constantly improve. The program we had in place in 2019 is not the same as what we had in the middle of 2018, and I’m certain it won’t be the same as what we’ll have in few months either. Although in one sense we’re always starting from scratch, we can also draw from an ever-expanding knowledge base. We learn so much from each venture as it’s deployed in the ‘real world’ and put to the test against real security threats. We have built, and continue to build, a constantly evolving knowledge framework that puts security first.
Building continuous security at DV means fostering a culture of knowledge-sharing and helping one another improve and become more aware of the data we deal with every day.