Security For PM: 5 Ways to Reveal Your Security Practices
Cybersecurity is among the most significant trends over the last decade and has become even more important now, especially due to more remote work being done. From ransomware to cyber espionage, hackers have developed sophisticated techniques to break into your project/company data and get away with critical information or demand ransom.
Even well known organizations such as Canon, Garmin, Twitter, Honda, and Travelex have fallen victims to malicious actors. A data breach can be a disaster for your company/project, destroy the trust of your customers, and spoil your company’s reputation.
Many Project Managers still happen to think that project security is the responsibility of other people – software architects, DevOps, InfoSec specialists, and so forth. However, it is a PM’s task to ensure that the product you create or services you deliver are secure. In a series of articles dedicated to security, I will focus on three main topics:
- How security can be checked and what are the unexpected security issues you may face starting a new project.
- Five ways to ensure the development of a secure product and make your project safer.
- Useful tips on implementing security practices to SDLC.
Let`s waste no time and start with the first one.
Not by checklist alone…
Security is no longer a ‘nice to have’ option. Every business starting a new project with a 3rd party consultancy wants to make sure a vendor follows security practices. The easiest way to do that is to have a vendor complete an assessment checklist that contains a section dedicated to ensuring security on the project. Basically, such a checklist is nothing more than a company's idea of how good their security program is. In fact, the situation may significantly differ.
There was time when companies were satisfied with the information provided in those checklists. Now businesses are looking for something more than just words – some proof that you have actually implemented security practices and are also following them in your daily work. How exactly can this be proven? Below are the five most common ways.
1. Tracing the company on the Internet
There are two main paths for gathering information about your company. The first one, OSINT (Open-source intelligence), suggests collecting data from publicly available sources, including media (newspapers, radio, and television, etc.), online publications, blogs, discussion groups, YouTube, and other social media websites, public government data (reports, budgets, hearings, telephone directories, press conferences, websites, and speeches), technical reports, patents, working papers, business documents, newsletters, and more. That’s a lot (A LOT) of information! Yes, it takes time to analyze it, however it is an efficient way to pinpoint any weaknesses the company used to or still has regarding data security.
Find out how we develop software with security practices in place.
Other methods that organizations may fall back on are specialized platforms and tools for 3rd party risk assessments. These solutions like RiskRecon, BitSight and others provide ready-to-use assessment procedures, which help to rate a vendor and make an informed decision whether to work with them or not.
So, you see that everything you make public can influence the whole picture. An app that contains a vulnerability influences your reputation, even if that app was for internal use, even if it happened years ago, even if it was published for just an hour. You may forget what you uploaded in the network. The Internet does not forget. It is in your power to reduce the areas of attack and minimize the information that can be used against you. Look carefully at what you make public.
2. Сonducting an independent evaluation
One of the most popular ways to confirm that a vendor follows all security practices is conducting an external evaluation. You have to make sure that the results of such an evaluation match what you have specified in your checklist. Otherwise you will find yourself in a very weak position. Thus, when filling in the checklist, omit any false information and try to refrain from embellishing reality. If you realize you are not good enough to successfully compete with what you have, then this is a call to action – improve security in your company because you`ll have to do that anyway. This is a requirement of the changing reality.
3. Reviewing internal pentest reports
To check how security actually is on your project, your potential customer may request your internal reports on the penetration testing. Such testing should be conducted at least once a year or before any major releases. So, if your project runs, for instance for three years, you should provide a client with three reports and you`d better have them all. Take it as a rule that you make pentests every single time, control this issue on a regular basis so when the time comes, you do not have to rush to find a way out of the situation.
4. Checking for phishing awareness
When declaring that your company implements security practices, teaches its employees how to develop secure software and how to defend against modern threats, remember that your customers may want to check if it is true. Among other things, this can be done by sending out phishing emails. If your company received a phishing email and your employees responded to it, it means security practices are not as good as you imagine. This is a red flag for the client that your team does not know or follow the basic security rules and puts your current customers at risk. Make sure you trained your team how to identify phishing emails and how to act when receiving one.
5. Listening to what you say and how you say it
Direct communication is of very high importance in any case. Communication about security is no exception. What you say about the security practices in your company and how you say about them is a litmus test whether you know the subject or not. Enlist the support of your colleagues who are experts in the field.
Don't risk taking a chance that your customer knows just as much as you do. Funny but it works both ways, it doesn’t matter if you are a security guru or not. Even if you are perceptive in the area your task is to ensure that you can develop a safe product, not to make a client feel uneasy about the level of their knowledge in the field.
There are numerous ways to find out if your understanding of how security practices are implemented within your organization is actually followed in reality. If you are not sure, you should take the right steps on your way towards building efficient security processes. If you are still worried about the safety of the products you create or if you are eager to find out the main pitfalls Project Managers face on their path to security, read the second part of the article.