blue_locks_775_x_330

Make Security First a Priority, or Perish

Richard Hyatt | Security First, Blog

When I think back to my childhood, I can clearly recall two of the earliest instances when I was exposed to the concept of cyber security. The first and most vivid memory I have is of reading “The Cuckoo’s Egg,” a true story by Clifford Stoll about hacking and computer espionage. The second is of watching “War Games,” a movie in which a young Mathew Broderick hacks into a military super computer. Beyond simply helping to shape the direction I would eventually take with my career, these works turned out — at least on some level — to be harbingers of the future.

That’s because fast forward to modern day and we’re living in what I would classify as World War III. Instead of fighting with the nuclear weapons that Broderick was on the brink of unleashing in his movie, however, today’s war is playing out in cyberspace. You don’t have to look very hard to find examples of the attacks happening all over the world. While China and the United States are often at the center of the most publicized ones, the truth is that there’s plenty of other malicious, state-sponsored hacking going on all around us.

All too often, Fortune 500 companies find themselves in the cross hairs of these international battles. This is something we’ve seen play out time and again in the media in recent years. And while they’re certainly a major target, it’s important to note that they’re not the only ones.

The fact is that you and your business are also very much at risk. All the more so when you consider that hacking has evolved from being a test of skill where the rewards were primarily bragging rights, to the full-time, high-paying job of untold numbers of people. Today your business’s biggest threat could very well be the guy two houses down, who you just think spends way too much time on his computer. Being a hacker is now a ‘career’ for some people the same way others are accountants and lawyers.

The point, of course, is that no matter what size business you are, you’ve got to take security very seriously. Simply making sure that security is on your radar, where it will no doubt compete against countless other priorities, isn’t enough. Instead, you’ve got to put security first so that it’s baked into both how you do business and how you build software.

Make your MVP Secure

I don’t think it’s possible to build a software company these days without having security be your starting point. That was certainly the case at BlueCat, the company I co-founded with my brother. Early on, our challenge was to get a DNS server in a data center that could sit in front of a firewall and still be secure enough for potential customers to feel comfortable.

Before writing our very first line of code at Bluecat, our thought processes revolved around how to do everything securely. There are lots of reasons why, but the most important one is this: layering security on after the fact just doesn’t work. Sure you can try to, but I guarantee that you’ll sink your own ship in the process. Instead, what I always advocate is that security needs to be part of your minimum viable product (MVP). That, of course, means that it’s got to be part of your thinking from day one.

Make Security a CTO Priority

Security needs to be a top priority for every software company’s CTO. They can’t simply delegate the issue to a security professional because when that happens the team doesn’t ever really learn. Instead, the CTO has to lead by learning as much as possible on security. That doesn’t mean becoming a world expert on security, but rather being well-versed on the subject, especially in those areas that directly impact the business.

A good CTO will read publications from the various security journals as well as papers on how different companies have done security and what’s changing, how they’re doing authentication and authorization, and what weaknesses they‘re seeing are, etc. Reading about attacks can be particularly helpful to understand your own potential vulnerabilities. For example, how was Slack or Ashley Madison hacked? How did the Sony attack go down? What are the big mistakes being made that you can learn from?

Computer Security Isn’t a Hobby

While it’s important to learn and stay current, it’s also important to recognize that computer security is a highly technical and specialist field. You need to make sure you have the skills and experience on the team to make it work. It’s not a good idea to take a hobbyist’s approach to building a secure infrastructure. Instead, you need to hire experts who live and breathe this stuff day in and day out.

As such computer security is also not the area to roll your own in-house technical solutions. Companies should not be inventing their own authentication or encryption algorithms unless they have sufficient expertise in house. All too often I see developers creating custom encryption technologies only to discover they lack technical depth to support them. Unless you’re an expert in those fields, use someone else’s code that understands how to thwart attacks and maintains integrity. Too many companies take a really naïve approach to security and yet are still surprised when they get nailed and have a breach.

Hire the Hacker Mindset

I was always taught that if you want to think about security you have to think like a hacker. That doesn’t mean break the law. What it does mean though is always thinking about how you could hack into the systems you build and use, bypassing their security in the process.

My preference is to hire individuals who think this way, who aren’t focused on how quickly they can hack something together, but rather on how well can they can build something that will stand up to an attack.

Always Start with Security

As an angel investor I talk to lots of early stage companies. Unfortunately, far too few of them are making security a priority. Instead they’re focused on getting something out the door, seeing what works and scaling it up. Before they know it they have a system with real user data and real security issues.

But you can’t just throw security in after the fact. To be effective, it needs to be right at the core of the design. In fact, you have to take security into consideration before you start writing any code. Teams should set up the infrastructure, make sure it’s secure, then start designing and writing the software application. That’s what adopting a security mindset is all about.

Here’s the bottom line: You have to think of security first and make sure it always remains a priority. Period.