BSides Oklahoma - Security on a Budget: Building Security from Scratch
Event date 30 April 2021
In my career, I've had the opportunity to help build the security program for a startup which suddenly became successful enough to become a target. Also, more number of transactions brought it into the ambit of Level 2 PCI compliance, with Level 1 projected in near future. Joining as the second hire to the Tech Security & Compliance team after the CISO, I helped roll out multiple products and services, right from evaluation to managing the implementation projects. Getting buy-in and budgetary approvals from the Board and Executive Leadership required us to develop a staggered, results-driven approach shaped by the concept of Defense in Depth.
In addition to my experience as an operator in a new Security team, I’ve had the opportunity to advise such teams in my role as a Security Consultant. From Series B+ shops to household names on the verge of going public, my startup clients span a spectrum of sizes and security maturities. This session will include lessons learned, mistakes made and recommendations provided.
This presentation will combine lessons learned during my time at the startup with knowledge gleaned from my consulting career advising startup clients on their security postures. This presentation shall cover the following areas:
1. Understanding business requirements and company culture
2. Defining guiding principles and security philosophy
3. Understanding current state and desired future state
4. Implementing staggered Defense in Depth (admin, physical and technical security)
5. Establishing governance mechanisms
6. Reporting and communications
I plan to engage the audience by talking about actual examples of anonymized clients. I also intend to invite audience participation in narrating anecdotes on managing security on a small budget. Specifically, I will be inviting inputs on prioritization, communications upward and downward the chain of command, and lessons learned with focus on failures.