This post was jointly authored by Vivian Vitale, EVP of Human Resources and Maria Loughlin, VP of  Engineering at Veracode.

Don't Let Security Programs Get Lost in TranslationSuccessful security programs start by articulating the why, because employees take ownership of security when they understand why it is critical to their business. A key next step translates security principles into pragmatic business practices. These practices vary by function and the work at hand. For example, what does "least privilege" mean to an operations employee? What does "confidentiality" mean to an HR employee? What does "data integrity" mean to a marketer? Some of these initiatives can get lost in translation, resulting in greater confusion and potential annoyance at having to adopt new practices.

Empower employees across departments and job functions to answer these questions and embrace the related concepts. They know their systems and processes. They are accountable for implementing secure practices, and for reminding each other when corrections are needed. If you are leading a security initiative, play the role of coach by guiding security discussions, proposing best practices and providing IT and systems support.

Here are a few examples of how Veracode takes this pragmatic approach to implementing security programs:

The Marketing department is motivated to present Veracode's brand and content in fresh, appealing formats. How better than to embed stylish new plug-ins for a website or blogging platform such as WordPress or Drupal? And with basic security training, the team understands third-party risk, i.e. how vulnerabilities in embedded plug-ins could expose confidential data. With this awareness, the team has implemented a review and approval process with Security prior to using any new plug-in, product or technology. This constraint has an impact — it slows down the team's adoption of new initiatives — but Marketing has learned to plan ahead and schedule the appropriate time into projects.

Veracode's Operations team configures scans and reviews results for quality. Team members have access to sensitive data, such as log-in credentials for web-application scans, and work to define processes that include security best practices. For example, sensitive data is always stored on a restricted file system and is never communicated over email or within shared systems. When Veracode adds new scan services, the Operations team takes ownership for building security into the new workflow.

The Human Resources team protects employee privacy at all times. This extends beyond workplace concerns to personal confidentiality, like not sharing employee information, even an address, without that employee's permission. Confidentiality regarding all personal information is built into all HR systems and practices.

Other departments, such as Sales, Services, Support, Engineering and IT, work with additional systems and processes. They make decisions every day that keep their work secure. In a successful security program, these teams are supported by Security and empowered to find practical ways to implement security principles. This approach makes every employee accountable, ensures processes are practical and supports the evolution of practices over time, ultimately allowing everyone to speak the same language.

Photo Source: Flickr

About Maria Loughlin

As VP of Engineering, Maria manages the development teams for Veracode’s cloud-based platform and Web Application Security products. Maria joined Veracode in 2012 with 20 years of technical and management experience in companies that include Fidelity Information Services, Memento, Kronos, Open Market and Digital Equipment Corporation. She is known for her high energy, optimism, and pragmatism, and can always be counted upon to call out the elephant in the room! At home Maria appreciates her husband’s hot and spicy cooking and the unfolding drama of parenting tween boys. Maria can be found on Twitter as @marialoughlin.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.