Architecting a security program for a Fortune 100 corporation involves a completely different set of considerations, skills, and maintenance tasks, than for any other context.
For starters, there’s the trust element.
A corporation at that level requires next-level security, across hundreds of thousands of potential attack surfaces, and it’s quite normal for them to pull in different agencies and organizations to bring their particular expertise to bear on any given surface. For instance, a physical security red team is going to bring completely different insights from a cloud-based web application security team. One size absolutely does not fit all, and so part of a major corporation’s security strategy has got to be identifying the best of the best in regards to each security discipline.
A particular F100 company has multiple commercial off-the-shelf products in their environment, and was searching for a way to test the security built within these applications. A third-party vendor already interacting with the company listened to their concerns and the shape of the problem, and recommended that the F100 go with Exfil.
Exfil, with its extensive experience in testing applications to ensure they are safe to deploy in an enterprise environment, was a natural choice.
“It’s important for us to understand the business, so be prepared to talk to us about the who-what-when-where-why of your business, so we make the right calls. From there, we need to understand the business units impacted by the service offerings,” says Darren Davis, Exfil’s Vice President of Sales and Marketing.
“Once that’s done, it’s important for our clients to understand we’re not part of the prevention team. It’s our job to understand what they do, and to put services in place that help them do their job more efficiently. We’re asking questions about why apps were developed, what problem the app solves in the environment, if we’re looking at payroll, why did you buy this product, what information within the product would you consider valuable (PHI, etc.), how would a breach affect the organization? What’s the business purpose of the app? And so on…”
Stakeholder buy-in is foundational to the success of any program. Without that buy-in, even the best program is likely to end up on the budgetary chopping block in some future quarter. With information security projects, it’s even more critical, as the Black Box of security skills usually means unnecessary opacity in the sales process. So making the case to department heads on the need for continuous testing of the application deployed into the corporate environment could have been a challenge.
Enter Exfil’s belief that the best way to accomplish this is to sit on the same side of the table as the user community. In doing so, they get a better understanding of the business needs of the applications being implemented. So this adventure truly began with multiple meetings with the teams, really listening as they described the landscape, and what they were hoping to get out of this program of testing.
Security is not a single-point-in-time event; not only is the internal environment changing, as users and applications come and go, but the external environment of vulnerabilities is in constant flux. So walking the line between wanting to call “done”, and wanting to establish a culture of continuous security within the organization, involves a significant amount of communication.
And that’s another place where Exfil shines. Early on, they set up meetings of varying formality over varying cadences, so that if at any point there was a question, there was a point in close proximity where it would be answered. Davis puts it this way
“Exfil’s primary focus is the client and their needs. Based on our experience in multiple industries, we are able to provide a cross industry analysis of our clients’ security maturity level. Understanding and being educated on the business of each department and how it flows into the company goals, allows for the development of a less punitive, more collaborative, security program.”
So Exfil listened to their customer, and then they acted.
In the majority of basic infosec interactions, the security team takes the lead in educating, orchestrating, and executing the security plan that the in-house team will then take responsibility for executing against. But in a large organization with a lot of formalized processes that have to be taken into account, coordination is the biggest obstacle. Davis says,
“It’s extremely important that everyone understands their individual roles in creating a successful project. We are support, and we work for the business owners.”
Security is a piece of the puzzle; not the puzzle itself. What’s the key piece? “Hands down, it’s about the people at Exfil. We’re very particular in the types of people that we hire, and we have an extensive coaching and development program that helps them understand company goals for clear execution of a project. The Exfil team is committed to the idea that not about us, it’s about them. We are “help first” oriented, and not all about some security ego “gotcha”.
How do you measure success, as a boutique security firm working with a giant?
Stakeholder approval. “As it relates to the engagement, as it relates to the communication around the engagement, as it relates to delivery, accuracy of reports, follow through. All things we have massive credits for,” says Davis. When problems are being solved consistently, when the security footing is strong and stable, when communication flows easily from the client to the security team and back again, then we know that we’re doing the right thing and doing it well.
