High-Security Posture: 3 essential components for a trustworthy product
Orr Nir
|Website Ops & Security | May 23, 2022
Fighting the Fake Web means giving our customers the trust and transparency they need to accomplish their objectives in the digital world. This is not a one-person job – it belongs to everyone. As a company, each individual has a shared responsibility for security, and this mentality is crucial in increasing the confidence that both the clients and the industry have in us.
From building internal cyber awareness to enabling our product technology to be developed in a safe way, security must be part of every department and every employee’s routine. Having worked in private and public sectors, including for the Israeli military forces, I learned this to be the only way to have a trustworthy product built around a high-security posture.
In practical terms, there are several components that make this possible. Here are three that I find to be crucial:
1- Security as a development enabler
I know it might seem odd at first, as you may think that applying security measures can constrain the work of technological teams. But to be the leader of a category, the mentality must be the exact opposite: security must enable development, not block it.
From upgrading or downgrading features, to scanning and reviewing code to making sure we have a good UX, everything needs to be done according to a high-security standard, as each aspect of the product can have a security impact even from the point of view of how the customer interacts with our applications. Once every team understands that these standards provide the right guidance for developing a trustworthy product, then minimum impact and minimum-security risks for customers become something organic.
One good example is the CHEQ JavaScript tag. The tag, designed to be a seamless addition to websites, was only possible by having security as an enabler for all teams. At first, reaching no latency or discernible impact on the user experience and not blocking or delaying the rendering of the page, is something that could be understood as a UX solution only. But our teams knew that improving user experience was also crucial for our security posture. The tag must be bulletproof to attacks, and so does the platform serving it.
2- Being one step ahead
Just as with technology and product development, keeping a high-security posture is always a work in progress. That’s why, while we secure Go-To-Market teams and their strategies, our eyes are constantly open to different security challenges that might come our way.
As these challenges evolve, we, too, need to develop our strategies to face them. That’s possible on two fronts.
One is being compliant with the most updated regulations, like SOC 2 and ISO 27001, GDPR, and others. As we continuously work on privacy and other sensitive security topics, employing industry-standard procedures and policies to ensure data safety and prevent unauthorized use of any information is key. That’s how we put a level of commitment to cybersecurity into practice that is crucial for building trust.
The other is constant monitoring. By having a pro-active security posture, instead of playing defense, we stay one step ahead of threats. Here lies the importance of having different monitoring platforms which allow us to broadly monitor the web 24/7. As we gather information from different sources and investigate the darknet with our cyber research team, we can have a better picture of possible external issues, including actions by black hat hackers.
3 – Awareness: responsibility starts with tying your shoelace in the morning
The third component is keeping a high cyber awareness level. Many people talk about cyber education, but that is only part of it. My belief is that awareness is 80% of cyber security efforts, as every organization is only as strong as it’s weakest link. Therefore, we are ensuring all the time that even our weakest links are as strong as they can be.
Beyond learning about new threats and different ways of protecting ourselves, being aware means having cybersecurity as an integral part of our daily routines, just like tying your shoes in the morning.
That doesn’t mean that everyone needs to understand concepts like DNSSEC, OWASP, Forensics, what an XML bomb is, or an XSS. Still, it is crucial to provide relevant information for employees so they can stay safe wherever they are by explaining and performing exercises and tutorials on a regular basis.
At the end of the day, the aim is that no one will be a weak link or, at least, that even the weakest link at the company will have a high awareness level of daily security practices. Especially in a working-from-home environment, small practical actions like being vigilant while surfing the web or opening emails can keep the entire organization safe.
___
Orr Nir is the Global Director of Cybersecurity at CHEQ. A former white-hat hacker and reverser, forensics expert, and all-around security junky.
Want to protect your sites and ads? Click here to Request a Demo.