We recently interviewed Brian Castagna for our Cyber Security Practitioner Series on the topic of how enterprise organizations should view their information security programs as a revenue driver as opposed to a cost center.
Brian shared his wisdom with us on his approach to revenue driven security programs, and how he uses this while serving as the Director of Information Security at Oracle Bare Metal Cloud.
Tell us a bit about yourself and your current role.
I’d like to start this Q&A with a confession. I’m trusting you as the reader with my secret. (in a whisper) “I used to be an auditor”. Sssshhh, don’t tell anyone. Yes, I was one of those smug 22 year olds that cost $200 an hour who asked you “what’s Linux?”. I started my career as an IT Auditor performing SAS 70, PCI DSS and ISO 27001 audits at various public accounting firms including KPMG, PwC and Shellman. And while I jest, there is tremendous value in building information security programs in starting with a strong foundation of IT general controls - access, authentication, change management, backup, and monitoring.
After 8 years of evaluating the security and controls of technology service providers, I realized I wanted to do more than just find the security issues, I wanted to fix them too. For the past 5 years I’ve been building information security programs at venture backed technology companies including Jumptap, Acquia and Dyn.
In my current role, I lead the information security program for Oracle Cloud Infrastructure (OCI) Edge Services. Formerly Dynamic Network Services (DYN), OCI Edge Services runs DNS, Monitoring and Email services for the edge of Oracle’s V2 Cloud.
Organizational leadership teams often make information security investment decisions to prevent or respond to a security breach. Should this be the primary driver for information security investment?
Information security is a great case study in human behavior. We are a reactive species. Why did you get that new home security system? Because a robber just broke into your house. Why did you start eating healthy, and stopping drinking cokes, eating Oreos and fried food? Because you now have type 2 diabetes. Why do organizations make significant increases in information security investments? Because they just had a major security breach.
A common attitude among corporate executives is the following:
“Why would I invest money in information security when we haven’t had a security breach? And if I did invest money in information security, it’s really just an insurance policy to protect against a cyber attack.”
This is the wrong line of thinking in my opinion. This type of attitude has contributed to the myriad of breaches we see in the news every day.
Here are four areas that I believe should be drivers for information security investment:
Revenue: It’s the money, stupid. What if information security was an implicit or explicit revenue center? What if you used metrics to directly tie information security to increases in revenue? People respond to money. If investments in information security could open up new segments of the market such as healthcare, government or e-commerce, that is a eye opening pitch to executives vs. we need to protect against X scary event in the future.
Shorten Your Sales Cycle: Are you living quarter to quarter? Anxious to close that seven figure enterprise deal to secure your next round of VC funding? If you are able to meet or exceed your customer's security expectations this will shorten your sales cycle with the security and legal hurdles found at larger enterprise customers.
Marketplace Differentiation: Customers of cloud service providers demand a strong security story. If you can articulate your security to customers in a confident, but not boasting manner - you will get more customers than your competition.
- Nature of the Business & Data: What you do for a business, and the types of customer data you maintain should have a strong influence on the level and type of information security investments your organization makes. For example, you are a Fintech startup and take on personally identifiable information and bank account data in the cloud. Your customers (banks) require security. Regulators (SEC, privacy laws) require security. Auditors require security (external, customer auditors). You require security, because you need to meet the needs of customers, regulators, auditors and most importantly to grow and mature your business.
How do you approaching building information security programs to drive revenue?
I take a customer centric view when I build information security programs. With that lens, it enables me to get more buy-in within the business driven departments at an organization from executives, customer support, sales, account management and product. A customer centric security program is a win not only for the business in driving revenue, but for security teams as well - as enterprise customers have expectations much more stringent than compliance standards. Here are some of my focus areas to drive revenue:
Compliance: As a former auditor, I have a love hate relationship with compliance. Love because foundational IT general controls bring a baseline level of structure and health to an organization. That makes me happy :). Hate, because compliance is often window dressing, with insufficient focus on mitigating the relevant threat models to a particular business - be that strong vulnerability management or security incident response. Out comes the sad face :(. The reality is, compliance is now table stakes. If you want to sell to mid-market or enterprise, you need the acronyms: SOC 1, SOC 2, SOC 3, ISO 27001, PCI DSS, HIPAA, FedRAMP, etc.
Customer Visibility: Customers want visibility into the security of your product or service beyond the audit reports and questionnaires. Figure out a way to provide them that visibility, and you will break down sales barriers.
Answer the Hard Questions: Gone are the days of easy security questions from enterprise customers. I completed a 420 question security questionnaire the other day. If you can answer the hard security architecture and configuration questions well, it will help you get that top 20-30% of revenue that’s been elusive to your business.
Charge for it: Why hello Mr Customer. We are offering three product models Bronze, Gold and Platinum. The platinum offering comes with these five additional security features and services. Which product do you prefer? The customer likely has to get past his own corporate security team and make his boss happy. Security should be an easy upsell.
Internal SLA’s: Go hard. Make your security team service providers. Respond quickly with internal SLA’s on requests from customer support, account management, and sales. Not only will you be making friends and kissing babies within peripheral business units, but you will make customers happy.
How does an information security program impact a company's enterprise value?
A properly designed and implemented information security program increases enterprise value. There are implicit and explicit benefits to having the right level of security, structure and control.
Implicit examples include things like new hire, termination processing, and background checks. Having functional, and ideally automated baseline IT general controls will save your entire company time and money. There is tremendous value in making security easy and automated. In a recent conversation I had with with the CISO of a Boston tech company, he made the decision to only allow third party technology vendors that integrate with his company's single-sign-on system. That’s a great example of a security policy that is driving implicit enterprise value where dozens of security administrators are not required to manage access to 90 + third party applications..
A more explicit example is opening up a new market segment. For example, as a cloud service provider you cannot do business with the Federal Government unless you have FedRAMP compliance. Get FedRAMP, and open up a market segment where the revenue, and resulting increase in enterprise value can be explicitly tied to your efforts as a security professional.
How do you approach building security teams?
Building high performing security teams is both challenging and exciting. There is an huge talent gap for the required information security skill sets, particular in security architecture, security engineering, and security incident response. Couple that talent gap with the need for a blended skill set of technical and people skills, and you find yourself on a unicorn hunt.
I build security teams with skill sets that complement each other. For example, some team members have a technical focus, or a people focus, or a queue based focus, or a project based focus. I approach team building by recognizing strengths & weaknesses, orchestrating the use of those strengths, and equipping my team with the right message and tooling to effectively execute.
When is the right time for a company to build out an information security function? Why?
To answer this question, we first need to evaluate the applicability of the information security investment drivers discussed above. What’s the target market for customers? Nature of the product and data? Risks to the business? Based on the answers to those questions, it’s easier to build out a roadmap or staffing plan for security.
However, herein lies the challenge for building the security team. Often this question is driven by customer compliance requests - such as a SOC 2 audit, and not driven by a meaningful business strategy. If I had a nickel every time a recruiter messaged me on linkedin stating a company needs an information security director to get them SOC 2 compliance, I would be a rich man.
So, how do we answer this question? Let’s start with some simple yes and no questions:
Are you a SaaS, PaaS, or IaaS provider?
Do you operate in the Cloud (e.g. AWS, Google, Azure, Oracle)?
Do you want to sell to mid-market and enterprise customers?
Do you want to sell to regulated industries or geographies - healthcare, financial services, government, e-commerce, European Union.
Do you take on sensitive customer or consumer data - intellectual property, source code, PII, credit card data, bank records, and/or strategy documents?
If you answered yes to #1 above - you should likely hire an information security resource(s) by the time you are 200 people.
If you answered yes to #1 and #2-5, you should hire an information security resource(s) between 50-150 people. The more questions you answered yes to, the closer you should be to hiring for information security after 50 people.
A common misconception is that security is one person job, and you just need one manager, director or CISO. Information security is not a person, it is going to be a team where the scope, scale and timing of building that team depends on the nature of your business.