A Dedicated Security Team
Companies are living entities. As companies and grow and shrink priorities change. Something that wasn't important yesterday is now critical to survival. The larger the company the slower the change happens. But, priorities do shift regardless of the size of the organization.
At some point during this corporate priority shift, someone decides the organization can benefit from having a dedicated security team. The need for in-house dedicated security team can arise for different reasons.
- The ability to to pass regulatory compliance.
- Vulnerabilities continually being found in products.
- A developer gets sick of addressing security issues.
- A corporate mandate that security is the companies top priority.
- A change up to the current way security is being handled.
- Confusion around how the organization is currently handling security.
- A manager realizes they should delegate the responsibility.
Sooner or Later
The core business of the organization determines when the epiphany happens. If a guiding factor of the business model is to have a security team, like a company in the financial sector, then the need arises sooner. A company focused on passing regulatory compliance will understand a security need sooner than later.
Alternatively, A security need may arise because security vulnerabilities are continually being found in the corporations products and applications. Vulnerabilities can be found by an external party you hired (best case) or by an external unauthorized party (worst case).
Regardless of the reasons why you need a dedicated security team, realize the security need means it is a call for change in policy, procedures, and culture.
An Initial Security Hire
Finding an organization who requires a security team immediately can be financially beneficial to a security person. The company has a high need (demand) and since security is a specialized skill set, low supply.
This is the best time for you as a security person to implement change. Changing culture is hard. This doesn't matter if the company has a security need or not. However, when the business understands the security need the security person has an edge. Securing a company is impossible unless management fundamentally cares about security.
If you are going to be the first security hire at the company, asking these questions will help you make a decision as to whether you should join a company in this position.
- Do they have unit tests? What is the test coverage? If you wrote a piece of code and passed all unit tests would they feel comfortable with you pushing to production?
These questions help you understand how mature the company's development team and testing environments are. If they feel comfortable with you pushing to production after passing tests, they have a great culture in place to solve problems. You want the culture of the company to be rigorous about testing their code and improving their code base.
- Does their QA team have an "automation" suite. How many regression tests do they run on their code base? Do they have a way to smoke test their build before releasing it to production? How long does their regression tests take?
These questions help you understand the culture of the management team. Do they believe in sacrificing a portion of time to make things better as a whole or do they believe in throwing people and money at the problem. A company who is willing to sacrifice release time for a better product is a step in the right direction.
- What processes do they have in place before developers can "merge" code into a production and staging environment?
All security boils down to process and procedure. It doesn't matter if you are breaking into something or fixing something. A company that follows process and procedure will be better at security than a company that doesn't. Make sure to ask these questions to multiple people at the organization. If you get different answers then the company has more problems than you can reveal in an interview.
Do you think any other questions are important to ask when thinking about being the first dedicated security person?
Written: October 31, 2012