Keep it secure but keep it centralized. Kevin Paige of logistics startup Flexport spoke to Pulse on the importance of a holistic mindset when it comes to cyber security as well as why seeing the CISO as just a problem solver is never the best way to go for a company.
How serious should startups be about cyber security?
If you’re going to collect any kind of data, you should be thinking about how you’re going to protect that data. On our news feed that we have coming in, every day there’s a new new breach that we hear about. Security is a problem and until we have a security-first mindset as a startup, then we’re going to keep having these problems.
And it’s only going to get worse because people are making the same problems that are very easy to fix. For example, they’re not configuring S3 buckets properly or not patching external facing systems properly. People are getting that because of these common issues and then ‘script kiddies’ and people that aren’t experts in security are black-hat hacking or finding issues and sucking down data. People really need to start thinking about problems earlier.
Could you describe what you mean by a holistic approach to cybersecurity?
Holistic is a super vague term. We can’t look only in one area and think that we only have one problem. For example, if we’re going to do vulnerability management, we can’t only be worried about patching operating systems. We need to understand our entire staff, our entire infrastructure and we need to bring it all together into a centralized view in order to make sure that things are correct.
Then we have to give the right people the right incentives to make sure that they think about fixing these problems early and then use them. We didn’t make sure that we’re looking at open source libraries, as our developers are building code. We need to make sure that we’re looking at the code that they’re building before it gets deployed. You need to be testing the code once it’s deployed. For an engineering organization you’d be testing the infrastructure and then you need to bring the data to a centralized view to really understand the risk.
When I’m saying ‘holistically’, I’m just using it as a term to bring the teams and data together, to add context to the data and give people visibility, transparency and an understanding into why it’s important to fix things or operate a certain way.
How do you structure a team best to deal with IT complexity?
Conway’s Law is important. It depends on the size of the company and the size of the stage of the company. The one constant in life is change. So you really need to teach your organization that they’re going to change consistently.
I’m at a fast-growing startup and every month we’re creating a new business unit thinking about a new way to do things. If we keep the team structured at the same while the business evolves, then how are we going to be able to make sure that we’re going to be able to keep up with the business? It has to be in our DNA that we’re going to change our structure to ensure that we can make the business successful. If we aren’t doing that, then we’re failing the business.
That’s why I mentioned Conway’s Law. Because we need to make sure that we’ve got the organization designed to be able to solve the most important problems of the business. If the business changes and our IT organization or security organization doesn’t change or adapt slightly in order to meet those needs, then chances are we’re not going to be very effective.
What do you imagine would be the biggest structural changes that you’d see over the next few years?
A recent structural change that I brought into the organization was building a team focused on integration. We use commercial products and everything has to be integrated, right? I didn’t want one-off integrations or custom-built integrations. I wanted to use an integration platform. I wanted to standardize how I do authentication, auditing and logging.
I also wanted to standardize how we deal with sensitive data. Once I’ve built that standardization, people can do their integrations or people can expose APIs in a secure way and build composable apps: applications on top of those APIs.
I’m helping solve security problems by doing it that way and helping it be more effective. So a recent change that we did was we structured how everybody who’s working on integrations — internal integrations for SAS products — to be on one team with one structured platform with one way of doing things.
You’ve said before that the CIO has to be CISO as well. What did you mean by that?
If you’re a CIO you need to be focused on technology. Those could be CTOs or lots of different titles but I think it’s important to have a security-first mindset. If you’re relying on your CISO to be able to solve problems, it’s already too late. The business decisions were already made. The products and the tooling were already selected. Now the security teams are going to come on after and give you a risk analysis and tell you what the problem was.
We’re going to keep having data breaches if we don’t start changing our behaviors and changing the way we respond and solve problems. The whole idea of a CISO is almost a ‘cover-your-ass’ position as opposed to a real strategic position that’s there to help enable the business solve problems.
They have to be positioned along with the CIO as a business leader that’s helping minimize risk and solving problems early as possible in the software development lifecycle.
