Information Security

Information Security Can’t Rely on Pinky Swears

This article was originally published on LinkedIn.

“We hire great people” is something we all hear companies regularly communicate.

How do you feel about a hypothetical company that believes the risk of an information security breach is low largely because they hire good people? In other words, their information security strategy is to hire good people and trust them individually to do the right thing. Maybe they even sign a paper pinky swearing they’ll always do what’s right.

Let’s say this hypothetical company houses some of the most sensitive data about you and your family or company that exists. Your information is passed around via email or attachments inside and outside the company. Information is even passed between teammates via chat tools sometimes. Said information is also accessible, editable and exchangeable between partner/vendor companies in the background. This data is unencrypted when stored (at rest) and when passed around (in transit).

Do you know about companies like this? Is this your company? Is a company like this minding your personal data?

While information security is everyone’s responsibility, it is first the responsibility of the company itself. Hiring great people does not alleviate, or defer, the responsibility an organization has to be compliant with information security policies, legislation and industry best practices. If we can’t trust a company to do the right thing, why would we value their brand?

Interesting Things We’ve Heard Through the Years:

  • “Our people, vendors, and partners do the right thing. That’s why we work with them. I don’t think we have anyone in the company who would abuse our customer data.”
  • “First, we must get product to market and prove the idea is viable. We’ll validate viability of our product by customer adoption velocity and demand for new features. If the numbers suggest customers want to buy and use our product, then we’ll figure out what security we need thereafter.”
  • “We’re going to wait and see if this policy/legislation has any teeth. If we start getting fined for non-compliance, then we’ll begin considering if, how and to what extent we need to invest in information security.”
  • “Our industry is not very interesting to most folks. We don’t believe our company, products or services are really a threat to anyone. And we believe the likelihood of being attacked or otherwise exploited is pretty low to non-existent. We’ll wait until it makes sense before investing in some of the information security measures we hear about. It all sounds so expensive anyway.”
  • “It is actually cheaper for us to pay the fines.”
  • “Our customers don’t know any better.”

“Security first” or “security by design” is a choice. And it must first be the choice of the governing board and company leadership before it will become a reality for employees, partners and vendors. If it is not a top-down, constantly communicated, verifiable expectation, it does not exist.

7 Steps to Become a Security-First Organization

1. Internally declare that your company will become “security-first”

When initiatives start at the bottom of the company, they risk dying out due to lack of energy, resources, and attention. Sometimes they risk actually burning up the people trying to get the changes implemented as hope turns into apathy. It is the proverbial “fight against the man.”

As a Board or Senior Leadership of a company, what is important to you is important to the company. If it isn’t, that is a different problem altogether.

For a company to become a security-first focused organization, the declaration of importance, direction, and expected actions must come from Senior Leadership first.

An example “From the CEO” communication:

“Folks, effective immediately, we will put security, privacy, and compliance first in our daily operations. This means with every product, service, interaction, and communication, internally and externally, we will consider what must be secured, how it must be secured and under what conditions we must secure it – data, systems, teams, company and client interests inclusive. It is not a task to accomplish and be done. This must be our DNA. It must be our daily lifestyle. And it will take time to get to a proper baseline of competency and time to maintain, evolve and increase it.

From this day forward there will exist training expectations that must be pursued and accomplished monthly, quarterly and annually. Look for them in your Learning Management System (LMS) assignments. All roles, titles, and capacities. No exceptions. Me included.

And from this day forward you will see our CISO take a more prominent role in defining our pursuits, our strategies and validation of our compliance readiness. We as a leadership team choose to proactively educate our teams, protect our assets and behave in a manner expected by our Founders and those who have come before us to build this great company.

Thank you for your commitment to being the best.”

Top-down declarations become realities.

2. Determine what industry regulations apply to your company

Information Security / Regulatory Compliance is a career. And there is a shortage of people who do this type of work. Find them. Hire them. Leverage them. Knowing what you must align to will save you money. Knowing what you need not align to will also save you money.

There are quick determinants to flush out directions, follow-up actions, and investment. The road will not be small, nor easy; though this list will help point you in a direction of what matters, when it matters and to what extent.

  • In what industry do you operate?
  • Is your business localized to your state only? Your country only?
  • Do you do business internationally? What countries?
  • Do you exchange money with customers?
  • Do you ask for and store personally identifiable information?
  • Are you working with non-governmental organizations? Charities? Governments? Militaries? Public companies? Private companies?
  • Have you failed any previous compliance audits?
  • Have you been fined by a third-party organization for non-compliance?

3. Determine what industry best practices will help your company

You may discover your information security folks want impenetrable castle walls, which eventually mean your employees are unable to use the bathroom in the name of security. An extreme.

You may also discover your engineers want the freedom to use anything at any time for any reason in the name of innovation, digital transformation or being competitive. Probable.

And your business unit leaders? You’re expecting them to grow the business, delight the industry and client base. They want to do whatever is necessary and appropriate to meet the goals expected of them as well.

Security, innovation and growth are not mutually exclusive. They must be collaborative and it will require constant, purposeful and involved leadership. Otherwise, it is just theater.

Regulated industries communicate best practices and compliance expectations, which makes it easier to know what matters and what doesn’t. Where your time will be spent is determining how tightly to dial up the security requirements on your operation and how they will impact friction, flow, deliverable velocity and value from the organization.

Unregulated industries still have communicated best practices and compliance recommendations. In the absence of all knowledge, ask the following questions of your Chief {Information Officer, Information Security Officer, Product Officer, Technology Officer}:

  • Against what information security / regulatory compliance standards must we be measuring ourselves?
  • How are we training our people to be predictably and repeatably compliant with these expectations in our everyday lives?
  • How can we regularly prove that what we expect is actually being employed?
  • How do we culturally make security and compliance a behavioral assumption versus a Learning Management System (LMS) assigned task?

4. Implement role-based security awareness training

No one is exempt from information security. No person, role or title. Like leadership and teams, security is a “we” endeavor.

Not all roles in the company have the same requirements. Some roles are specialized while others are more general. Below is a simplification of this idea.

Specialized: Information Security folks may say higher-level things like confidentiality, integrity, and availability. They may roll out policies, procedures and learning courses while facilitating internal and third-party audits. They’ll even be discussing Plans of Actions & Milestones (POA&M or POAM) items resultant from audits. They’ll need to know frameworks, behaviors, implementations, monitoring methods, and reaction/response ladders and industry standards like NIST-CSF, PCI-DSS, HIPAA and so many more.

Specialized: Engineers who focus on infrastructure, networks, data, and software technology stacks need to know about the what, but more importantly, they need to understand the why and how as they do their work. For example, data encryption at rest and in transit, authorization, and authentication, securing failover infrastructures, hybrid cloud solutions, bring your own device security, separation of duties, least privilege and need-to-know principles. There is more than one way to implement any one of these concepts and Engineers need to know them.

Generalized Awareness: Everyone else.

Figure 1. The diagram above demonstrates at a high level how role-based security awareness training could be rolled out and that everyone is a part of it. No one ever gets to be “clueless.”

5. Include the information security role in solution delivery teams

Whether your company calls them Scrum, Strike, AgileProduct or Project Teams, the team construct used to deliver an idea from inception to conclusion often contains multiple roles and therefore multiple people.

In order to become a security-by-design or security-first company, your teams must be shaped to enable the desired outcome. Which then suggests that an information security/regulatory compliance expert must be included from project inception through the course of the project.

This conversation is less about the recipe for roles and teams and more about the desired outcome. Context-driven teams influenced by desired outcomes.

Strike Team Delivery Model
Figure 2. Trility’s preferred team pattern is the use of a Strike Team that always includes an Information Security/Regulatory Compliance expert involved throughout the lifecycle of the project or product. While we tend to construct teams based upon the desired project outcomes, we include an Information Security expert on the team by default.

If the information security people are technical, they may be helpful with design, development, and implementation every step of the way, all day every day. If the information security people are non-technical, they may be more aptly leveraged in a principle-based guidance role during iteration planning, stand-ups, demos and reviews to ensure the project continues to move forward between the fences.

Either way, there must be a full-time champion for the company and clients in terms of privacy, compliance and best practices to achieve the desired outcome.

6. Determine how you will proactively test your ongoing compliance

There are any number of methods to test ongoing compliance. Blind trust. Word of mouth. Internal (infrequent) manual inspection. Third-party annual inspections. Or continuously through automation.

Our typical practice is to identify what attributes of compliance must continually exist, automate those attributes into a series of tests that are called, executed, logged and tagged every time new infrastructure and applications are built. When non-compliance happens, alert someone (as shown below). Otherwise, keep moving. We have some examples out there in the ether for you to thoughtfully consider.

Automated Security Tests
Figure 3. The diagram above shows how you can build-in automated security/compliance tests such that every build now has the capability of logging activity, events, alerts and compliance status.

7. Attach quality and compliance tools to the delivery pipeline

Continuous delivery pipeline behaviors are not new. Wide-spread awareness and adoption of new concepts takes time to expand across industries, companies, leaders, and teams. As more companies implement continuous delivery principles, more of the things many companies used to exclude because it took too much time, or did perform, but manually in arrears and infrequently, will be automated providing real-time information radiators.

Look for vendors and tools that are API-driven, have a great online community, openly available developer and administrative documentation, as well as, active tool support. These tools enable you to perform automated analysis-refactor loops now versus waiting until later and hoping for the best. It is worth your money to know your risk exposure now.

Continuous delivery pipeline with security built-in
Figure 4. This diagram illustrates wherein the continuous delivery pipeline predictable, repeatable and auditable security behaviors may be baked into the solution delivery process now versus waiting until later.

Hire great people. Cast a vision, communicate desired outcomes, define clear objectives, give them the resources to be successful, give them rules of engagement and stay involved.

Great people make mistakes. And even great people some times do not know what to do. Security frameworks help mitigate oversights, mistakes and provide guidance when people are in new, different and complex situations.

I drink a lot of caffeinated coffee and tea. And I’m on airplanes a lot. Drinking coffee and tea. I’m making a commitment to write more articles in 2020 – and increase the number of speaking engagements at which I drink coffee and tea. It is material we discuss every day at Trility and with our clients. It is material that you may find helpful as well. If you’d like to keep informed, and even interact, please connect or follow me on LinkedIn. Or we can send you an email

We are also always looking for system thinkers to join us – those who can see the larger landscape and do the work as well. If this resembles you, email us.

Information Security

A Repeatable, Custom Solution for CCPA

How to Comply with CCPA Requirements

In this video, you’ll gain a high-level understanding of how your organization can comply with the California Consumer Privacy Act (CCPA) using a solution-based approach.

California Consumer Privacy Act: Solution Approach

1:00-3:29 Minutes | Defining the Business Problem

You’ll gain a basic understanding of the business problem CCPA presents to organizations by looking at it from two perspectives: The consumer making a request and an internal employee who is tasked with responding to the consumer request.

Demonstration of a Solution Approach to CCPA

3:30-5:42 | Consumer Request

You’ll walk through how a consumer would make a CCPA request from your website. CCPA requires organizations provide a Do Not Sell My Personal Information link on their websites that allows the consumer to make that request, as well as a request to delete their personal information or have their personal information shown to them.

5:42-10:00 | Internal Process

This section of the video shows how an internal team member can review and respond to a consumer requesting to have their information shown to them. This solution approach also allows for a manual review process that can be integrated with an automated one.

Not sure if CCPA applies to you?

Take a free assessment to determine if this privacy law impacts your business.

Information Security

Simplify Compliance Management with New Features in Cybersecurity Solution

July 12, 2019, DES MOINES, IA – Trility Consulting® has launched two new features to the IronBench Compliance Navigator™ product built to enable centralized management and reporting of your organization’s alignment to standards. The Trility team originally set out to simplify how their own teams understand, implement, manage and audit today’s information security/regulatory compliance requirements while building solutions for their clients. The result of this effort rendered a number of new software products including IronBench Compliance Navigator. 

IronBench Compliance Navigator

“Our IronBench Compliance Navigator product targets organizations that want a simple, light-weight and centralized method of managing their organization’s compliance efforts without the complexity and cost many folks experience today. People want the flexibility to handle multiple standards, audits, projects and teams at the same time, understand at a glance where risk exposures exist and to know that as people come and go, data and history will not be lost because a spreadsheet left with the last exiting team member,” says Matthew Edwards, CEO of Trility.

…data and history will not be lost because a spreadsheet left with the last exiting team member.

“We’ve seen the plight of the information security folks who get left behind learning about projects, risks and issues in arrears. We’ve seen amazing people doing amazing things to keep up and ensure their organization is prepared for the next audit or attack. We think it should be easier. That’s why we built IronBench Compliance Navigator.” 

What’s does IronBench Compliance Navigator offer?

  • The California Consumer Privacy Act (CCPA) module shows companies what is required of them to meet California’s new consumer protection law and provides an intuitive, centralized method of managing and reporting your company’s status against this law today and into the future. Take a 1-minute, free assessment to determine if this law impacts your company. If it does, the CCPA module within IronBench Compliance Navigator helps you manage your ongoing compliance requirements in a simple, easy-to-understand manner today and into the future.
  • The Payment Card Industry Data Security Standard (PCI DSS) module shows companies what is required of them to meet today’s payment card industry requirements in an intuitive, centralized method of management and reporting. If your company accepts credit cards as a form of payment, you are expected to evidence compliance regularly. This module helps companies understand what is required, as well as helps manage your organization’s on-going compliance status in a low-friction, easy-to-use experience year after year.
  • The NIST Cybersecurity Framework (NIST CSF) module shows, in everyday language and concepts, private sector companies what is recommended in order to prevent, detect and respond to cyber incidents in today’s critical technology infrastructure. If you are looking for a centralized, easy-to-understand and use method of aligning your organization to the NIST-CSF, this module will guide you through the material and enables you to manage your organization’s alignment as your company, your industry and as the standard itself changes through the years.

    To get started, you can also take a free Maturity Assessment to understand where your organization is along the path to alignment with the NIST CSF. 

IronBench Compliance Navigator guides you through the process of identifying which standards apply to you, where your organization is strong and where it needs work, as well as helps you identify possible solutions to increase your preparedness along the way. Customer benefits include:

  • Track all compliance requirements, risks and responses in one secure location that’s accessible to all of your teams anytime, anywhere
  • Track your organization against multiple standards at the same time, in the same tool, year after year – change history included
  • Stay on top of new regulatory compliance standards in the marketplace, as well as changes to existing standards against which you currently manage your organization
    Delegate responsibility to others to acquire answers instead of having to personally perform each and every step manually

Create a free account to view the available tools in the IronBench Cybersecurity Suite and purchase only the ones relevant to your organization. If you’re interested in a white-label solution or an enterprise version of this tool that meets your specific needs, contact us

The IronBench Cybersecurity Suite of tools, as well as all associated patents and trademarks, are wholly-owned by IronBench LLC. IronBench and Trility Consulting, as well as all associated patents and trademarks, are wholly-owned subsidiaries of Trility Group Holdings, Inc. Trility provides strategic management consulting, digital transformation expertise and advanced technical solutions for forward-thinking global businesses.