When and what do you look for in a first security hire?

Both agreed that the ~50+ FTE mark is an appropriate stage to consider your first security hire. For org size context, Asana has ~1000 employees and a security team of 14. Lemonade is ~330 employees and Jonathan (CISO) is the only security FTE, currently building the team out.

What kind of profile are you looking for?

  • For B2B: This person will likely be tasked with convincing prospects that you're secure. Therefore, look for a Director-level hire focused on InfoSec who has outward-facing presence and says the right things to customers. A security engineer is not the right fit.
  • For B2C: You'll want someone who focuses on technical security first vs. being an external presence. For example, this person will be tasked with (1) making sure AWS configuration is tight, (2) help your app developers with security best practices, (3) secure IT.
  • In general, you will always have security debt (bug bounty reports, mixed penetration reports); you should start with someone who is Director-level who can think strategically about those issues.

How to evaluate vendor security:

  • Asana has a pretty straightforward rule: every company they do business with should do a better job at securing their own data than Asana does. If you're dealing with a large vendor, it's not a matter of whether they are secure (Salesforce, AWS both have world-class security teams), it's a matter of whether your company is set up to use that vendor correctly. Both recommend hiring security consultants to make sure you get it right.
  • Streamline your inbound vendor reviews with Loopio. "Worth its weight in gold." Require your Sales Engineering and InfoSec people to use it.

How to measure risk across the business regarding potential exposure:

  • At Asana, they collect the top risks and then gather a cross-functional group of subject matter experts (our superforecasters) which estimates how likely and how impactful a security failure would be in a given department. For example, a salesperson might say if the customer list was leaked, it would take X months and Y dollars in marketing to rebuild our pipeline. Asana's top risks for the year are based on these forecasts, and their annual planning addresses which of those are top priority to focus on securing. Asana's group consists of folks from legal, exec team, security team, and sales—"I want the widest group that can give me a full picture of risks and implications."
  • Lemonade identifies resources and the different types of risk (account takeover, etc.) and ranks them on a 1 to 6 scoring system (calculating risk probability multiplied by amount of harm). Anything over a 4 is then prioritized accordingly and linked with host expensive it will be to fix. This then informs quarterly security goals.

How to deal with security ops compliance internally:

  • Both Lemonade and Asana agreed that the security team sets the philosophy, the IT team handles the operationalization of that philosophy.
  • Bonus: password policies! Enforce a longer, more secure password that you don't rotate frequently. This tactic is reinforced by something called the 800-63B standard—Google's paper that found that if you make people rotate passwords they'll continue to make them easier and easier (and thus more prone to breaches). Instead, have multi-factor authentication (MFA), set your password to 12 characters, and pick a phrase vs. one word.
  • Tip: be careful giving any security control to HR (Okta, etc.), you really want IT to set that up and integrate it with your existing HR system. 

What's the best setup for early-threat detection (endpoints & servers)?:

  • Asana: For endpoints, don't use antivirus anymore. Get endpoint detection & response; the best out there is Crowdstrike (ask for Falcon Complete, where they will detect and address the problem themselves. You don't have to do a thing). For servers, it's a bit more complicated and less clear, but Asana uses a mix of Capsule 8, CMD, and GuardDuty.
  • Lemonade: Lacework is great for identifying anomalous behavior and it also will tell you about your AWS resource configuration and security gaps given your setup. Orca Security is great for realtime detection and also looks for passwords/PII + alerting of incidents. Finally, Bridgecrew is similar to Lacework, but will give you code to help with security remediation.

Should employees be able to buy software without approval?

  • While many smaller companies let employees buy software that connects to sensitive data, Lemonade and Asana warned that you'll pretty quickly have to break that habit. Somewhere around 50-100 FTE, you'll at a minimum need to centralize spend management and also implement lightweight approvals.