How to create a secure culture in your team
Medium article by Chris Jackson, security engineering manager at Flo Health Inc.
With the rise of malicious cyber attacks increasing daily, the importance of security in business systems and processes skyrockets! At Flo, we are committed to maintaining the highest possible security standards, evidenced by the recent achievement of the ISO 27001 standard and subsequent ongoing efforts and projects.
This article will cover some of the ways our teams are continually improving Flo’s security posture and culture.
Security champions
If you are serious about security, you know that you have to start with the people inside the company. Investing time into everyone understanding the need and importance of security is crucial. With the right culture and mindset, creating, implementing, and maintaining systems and processes becomes easier. If you’d like to read up on this topic further, this content might be of interest to you.
As for us at Flo, we have implemented a comprehensive training program for our security champions that covers items such as:
- Policies: their importance and real-world relevance
- Threat modeling and closure of identified gaps
- Procedures to reduce risks of supply chain attacks
- Walkthroughs of technical vulnerabilities and ways to completely avoid them or fix them if needed
After the training program, we also keep in touch with our security champions — we go over new initiatives and provide support if needed. Regular contact also enables us to get crucial information from the champions in a timely manner, as well as communicate to the wider business if needed.
Ultimately, our goal is to have a more skilled workforce, a more informed security team, and a better security culture for the business.
Principles
At Flo, we adhere to the principles of least privilege where appropriate. We also adopt a “secure by design” approach as much as possible.
Recently, our team worked on an access control system that implements the above-mentioned concepts, all while maintaining consistency and accuracy throughout Flo. We have also implemented time-boxed access to systems, which helps us reduce long-lived access, over-provisioning of permissions, and other problems that typically plague a lot of businesses!
Here are additional Flo security principles that are part of our culture:
- Immutable infrastructure and infrastructure as code
- Design for change — loose coupling and high cohesion
- Design for fault tolerance
- Ownership
- Minimize the attack surface
- Leverage defense in depth
- Security is the default
- Fix the cause of issues, not the symptoms
- Fail securely
- Risk-based approach
- Trust but verify
- Simplicity
- Avoid security by obscurity
Test, test, and test again
Another crucial part of keeping a company and product secure is identifying and fixing vulnerabilities. To ensure this at Flo, we engage external specialists who conduct regular testing of our infrastructure, applications, and APIs to provide insights into any areas of concern that need to be addressed.
Some of our approaches to Flo’s external security health checks are more creative — like a collaboration we have with HackerOne. It enables us to gain a different set of reports that are normally more innovative but just as valuable. HackerOne also enables us to rightly reward people who disclose our vulnerabilities to us in an ethical manner.
But don’t be mistaken — not everything is external. At Flo, we have our own internal resources to test our systems at a deeper level with a narrower focus to make sure that all security levels are covered. We additionally employ automated tools to gain further coverage at different parts of the secure software development lifecycle (SDLC). This brings the benefits of shifting security left in the SDLC process and results in issues being found faster.
Company onboarding
To keep Flo’s data and systems safe and secure, we make sure every new team member understands the security-based responsibilities they have in the business. We take every employee through a series of onboarding lessons, where they get educated on the need for security, how to stay constantly alert, and how to get support if required.
To finalize
At Flo, we make every effort in all areas and domains to keep user information safe and secure. We deeply respect the information provided to us and are constantly looking for new and improved ways of building secure systems and processes. Our users are at the heart of everything we do, and their data security is a key pillar at Flo.
