At B2B Rocks 2019, I took part in a panel discussion titled “How to Shape the Most Reliable and Secure Tech.” We had an interesting talk about how B2B companies can improve security, particularly around doing so as they scale up. I’ve been thinking about our conversation recently, as the day-to-day has shifted for people all over the world, so I wanted to take a moment to share some of the insights from the talk.
The panel featured Maxime Cartan (co-founder & CEO of Citalid), Apolline Aigueperse (Director of Cyber at CybelAngel), Giovanna Giammarino (VP Engineering at Alkemics) and myself, (co-founder & CTO of Sqreen).
Why B2B companies should take security seriously
We started with a discussion around why this matters at all. Why should B2B companies care about security? At a certain point, your customers will ask you what you do to make your product secure. This is one of the main reasons companies start taking security seriously. If they haven’t done so previously, it often leads to some surprises.
A lack of security can be a real blocker in the buying process. Apolline even experienced how many US-based companies won’t do business with you if you don’t have an ISO (27001) certification.
A second driving force is a security incident. Whether external (e.g. hackers) or internal (e.g. a developer deleting important data or a data leak), this will make companies look into security more deeply.
My take on this is that even if you think it won’t happen, your customers will ask you about it. You should make sure you have a satisfying answer when that happens.
Now how can we shape the mindsets of all stakeholders so that security and reliability are included in the entire process?
How to build security in your process
All panelists agreed that security is a concern for everyone. But not everyone can be an expert of course, so it’s okay to have a security team or someone responsible for security. However, Giovanna made a good point that this team or person can’t take an authoritarian stance and block everyone.
The approach you take is really important. To me, members of the security team should be enablers. Specifically, I believe developers create the value of your products. That’s why you want them to be able to work as fast as possible. Having someone constantly saying “no” to them will slow them and your company down. They’re too important to your business to allow this.
The security team should work hand in hand with developers. Luckily, developers are often eager to learn, so are a great team to partner with. But developers are not the only team that the security team needs to work with. Most data leaks are caused by human mistakes and these humans can work anywhere in your company: product, support, marketing, sales, etc.
I believe strongly in psychological safety in this regard: you want people to feel safe and raise flags when they feel something is wrong, or if they think they made a mistake. This comes down to culture and the way that you as a security owner share your policies with your company. Removing internal retaliation and blame from security makes it much stronger. This allows everyone to be committed to security, not just developers.
Non-technical people can have less of a security culture. But we find that when we explain why security is important, marketing and sales departments are also on board. If it makes your product easier to sell, or your company more trustworthy, they have an incentive as well. Then you can give them training, put in checks to see if everyone is still compliant, and repeat the process.
What are some actionable tips and tricks?
The final part of our panel discussion was about some real techniques that we use to get everyone on board and to educate them about security.
One thing we do is organize a hack night every other month. We focus on a specific vulnerability and have one engineer set up a server. We buy food and drinks for the team and then spend a full evening hacking the server. This is a super easy and fun way of spreading the word about security.
Other techniques that were discussed during the panel were:
- regular presentations about data leaks and the business impact
- including security training in your onboarding process
- using KPIs to measure security
At Sqreen, we have a small but fun little way of keeping security on everyone’s mind. If someone leaves their computer unattended and unlocked, whoever catches it sends a Slack message from the person’s account letting the company know that they’re bringing cookies for everyone. Yum!
But we also take more serious measures. For example, you can offer password managers to your employees as a perk. They can use it for their personal passwords as well — it makes their life easier, and it makes the whole company safer.
Finally, I recommend doing regular penetration tests. It’s a chance to educate everyone:
- the C-level executives
- the sales team (because they’ll use the result to sell the product)
- and the developers (because someone is judging their work)
At Sqreen, we do a pentest every year. If you can communicate this well internally, there are benefits that can last until the next pentest.
More security means a better business
It was a great time getting up there and chatting with my fellow panelists. We all agreed that security is important for the health of B2B companies, and that everyone should be involved. With all of the uncertainty these days, these tips and approaches are still relevant. For example, if you’ve moved to a distributed team right now, building that security culture of raising any issues that someone in the company comes across is more important than ever.